Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

Overview

General Information

Sample name:CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
Analysis ID:1564682
MD5:85cd120b5698e12fda1e27b8ca8d4f99
SHA1:e9f66e5c3dc28b0ae844be5bb2d967a17b16c57e
SHA256:ef257e45ab2ef35a61db240928ea20173fb81a534fbc50a0ecd3667f76c9dc1e
Tags:AsyncRATexeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe (PID: 5320 cmdline: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe" MD5: 85CD120B5698E12FDA1E27B8CA8D4F99)
    • CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe (PID: 5432 cmdline: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe" MD5: 85CD120B5698E12FDA1E27B8CA8D4F99)
      • powershell.exe (PID: 6528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x16177:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x16214:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x16329:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x15791:$cnc4: POST / HTTP/1.1
    00000000.00000002.2118237404.0000000003C49000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2120973463.0000000005470000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xc34d:$cnc4: POST / HTTP/1.1
                  Click to see the 12 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe", ParentImage: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ParentProcessId: 5432, ParentProcessName: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', ProcessId: 6528, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe", ParentImage: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ParentProcessId: 5432, ParentProcessName: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', ProcessId: 6528, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe", ParentImage: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ParentProcessId: 5432, ParentProcessName: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', ProcessId: 6528, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ProcessId: 5432, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe", ParentImage: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ParentProcessId: 5432, ParentProcessName: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe', ProcessId: 6528, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T17:42:42.269526+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:42:55.557397+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:42:58.269243+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:08.727096+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:21.970217+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:28.260552+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:33.180304+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:41.790524+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:47.203499+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:47.457940+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:47.981862+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:54.680830+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:58.260962+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:02.340869+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:05.533325+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:13.678690+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:17.781959+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:21.291150+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:24.363102+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:25.426495+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:25.641364+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:28.261733+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:30.081400+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:32.121146+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:33.096234+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:35.217129+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:35.454377+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:36.111670+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:45.651595+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:48.242671+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:58.253361+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:01.342309+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:01.631973+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:06.432176+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:11.792760+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:12.077694+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:12.303031+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:15.382337+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:25.182792+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:28.262193+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:29.532597+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:38.649104+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:50.660755+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:53.442714+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:54.992763+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:56.772888+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:58.252760+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:46:03.512691+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:46:11.106438+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T17:42:42.285243+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:42:55.559295+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:08.728779+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:21.974000+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:33.181765+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:41.796704+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:47.204999+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:47.459389+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:47.691961+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:47.816489+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:47.984977+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:43:54.682766+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:02.346742+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:05.569910+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:13.681144+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:17.789565+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:21.292632+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:24.365683+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:25.428511+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:25.645453+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:30.084359+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:31.088694+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:32.122763+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:33.097596+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:35.218824+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:35.570416+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:35.754605+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:35.874812+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:36.116029+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:45.654168+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:44:48.244142+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:01.344121+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:01.633646+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:01.918378+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:06.434737+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:11.798568+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:12.102721+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:12.394560+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:15.383669+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:25.186779+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:29.534859+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:38.651080+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:50.749253+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:53.507263+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:54.995291+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:45:56.774352+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:46:03.514478+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  2024-11-28T17:46:11.108933+010028529231Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T17:42:58.269243+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:28.260552+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:43:58.260962+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:28.261733+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:44:58.253361+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:28.262193+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  2024-11-28T17:45:58.252760+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649748TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-28T17:45:14.591580+010028531931Malware Command and Control Activity Detected192.168.2.649748104.250.180.1787061TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: HEUR/AGEN.1307356
                  Found malware configuration
                  Source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 50%
                  Multi AV Scanner detection for submitted file
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeReversingLabs: Detection: 50%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: 104.250.180.178
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: 7061
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: <123456789>
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: <Xwormmm>
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: XWorm V5.2
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: USB.exe
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: %AppData%
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpackString decryptor: XClient.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49748 -> 104.250.180.178:7061
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.6:49748
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49748 -> 104.250.180.178:7061
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.6:49748
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49748 -> 104.250.180.178:7061
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 104.250.180.178
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.6:49748 -> 104.250.180.178:7061
                  Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: powershell.exe, 00000004.00000002.2179853697.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                  Source: powershell.exe, 00000007.00000002.2226109028.000000000896E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 0000000B.00000002.2336268783.0000000008701000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftNR
                  Source: powershell.exe, 0000000B.00000002.2336909352.000000000870A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mw
                  Source: powershell.exe, 00000004.00000002.2176648442.0000000006147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218190584.0000000005E87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000004.00000002.2171843050.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4586866118.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2171843050.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.0000000004281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000004.00000002.2171843050.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000009.00000002.2272844787.0000000007DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                  Source: powershell.exe, 00000009.00000002.2272844787.0000000007D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: powershell.exe, 00000004.00000002.2171843050.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.0000000004281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, XClient.exe.3.drString found in binary or memory: https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac
                  Source: powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000007.00000002.2208523240.000000000560E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.000000000577E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.000000000548D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000009.00000002.2272844787.0000000007D61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=4.zu
                  Source: powershell.exe, 00000004.00000002.2176648442.0000000006147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218190584.0000000005E87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 0_2_00EC43E80_2_00EC43E8
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 0_2_00ECE0940_2_00ECE094
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 0_2_00EC70510_2_00EC7051
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A61C53_2_031A61C5
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A44D03_2_031A44D0
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A4AC83_2_031A4AC8
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A14583_2_031A1458
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A4AB83_2_031A4AB8
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A14383_2_031A1438
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0377B4A04_2_0377B4A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0377B4904_2_0377B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08FA3A984_2_08FA3A98
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04DEB4907_2_04DEB490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04DEB4707_2_04DEB470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424B4909_2_0424B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424B4709_2_0424B470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04B9B49011_2_04B9B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_08C03E9811_2_08C03E98
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2121642475.0000000007600000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2118237404.0000000003C49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2120973463.0000000005470000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2117495462.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2118237404.0000000003C82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000000.2105979628.0000000000802000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHJpH.exeF vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000000.00000002.2117918407.0000000002CCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4601551558.0000000006569000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4598237702.0000000004351000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHJpH.exeF vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeBinary or memory string: OriginalFilenameHJpH.exeF vs CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: XClient.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, CpKB5Yi40nJNUGQi0x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, CpKB5Yi40nJNUGQi0x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, geF8IdT0lKjHIYOf0g.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, CpKB5Yi40nJNUGQi0x.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@0/1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.logJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:592:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile read: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: XClient.lnk.3.drLNK file: ..\..\..\..\..\XClient.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, geF8IdT0lKjHIYOf0g.cs.Net Code: ELYHjy8dxk System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, geF8IdT0lKjHIYOf0g.cs.Net Code: ELYHjy8dxk System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, geF8IdT0lKjHIYOf0g.cs.Net Code: ELYHjy8dxk System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031AE085 push eax; iretd 3_2_031AE086
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeCode function: 3_2_031A5F75 push esp; retf 3_2_031A5F85
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0377634D push eax; ret 4_2_03776361
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_03773A9C push ebx; retf 4_2_03773ADA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08FA6050 push cs; iretd 4_2_08FA607A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08FA87C0 push edx; iretd 4_2_08FA87CA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08FA8735 push edx; iretd 4_2_08FA87CA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04DE6348 push eax; ret 7_2_04DE6351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424632D push eax; ret 9_2_04246341
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424EC08 push B61807CCh; retf 9_2_0424EDE6
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424AC6B push ecx; retf 9_2_0424AC8A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424AC8B push ecx; retf 9_2_0424AC9A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_0424AC9B push ecx; retf 9_2_0424ACAA
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04243A78 push ebx; retf 9_2_04243ADA
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeStatic PE information: section name: .text entropy: 7.759895673632601
                  Source: XClient.exe.3.drStatic PE information: section name: .text entropy: 7.759895673632601
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, H5WrvcIpdIDx4s56t8.csHigh entropy of concatenated method names: 'Crpch2A4qq', 'w6ucwikw6Q', 'LtBeKlKF7U', 'QN3eLhqb2e', 'pOmeAUyseT', 'uI4er2ynJF', 'YTjeSUgHXq', 'GVnePEDNeP', 'Bxue9niomR', 'PFxe5e3YpP'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, cBQfocMBpUBmAehNx3.csHigh entropy of concatenated method names: 'ej9tisbO7n', 'MtGtbBb9RS', 'aZGtBSV8C7', 'Lhot8aCALL', 'OYutLfJC6B', 'b01tAhvDS5', 'BTUtSpZTdU', 'XhxtP5LmMq', 'asct5Z7ops', 'uqVt0igwWs'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, geF8IdT0lKjHIYOf0g.csHigh entropy of concatenated method names: 'LCOog9iHmo', 'iISoaXIdAX', 'G77oEYFqoS', 'Mxhoeoc6Gs', 'Lwuoc2Y02M', 'nTXo46oTN4', 'zDbovPFN55', 'q8hoTgfy47', 'JGToqEEncq', 'nT6oQL1gF6'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, XJ5kXdCCneGYSn0r6u7.csHigh entropy of concatenated method names: 'yXY7XcqGy4', 'rSw7zOJqi6', 'rlQGFLQiYa', 'sAjGCfKDUi', 'uMFGWrtIub', 'tibGoOEnDf', 'Bb9GHrRu9q', 'Iw3GgICPf9', 'uwqGaFRGtF', 'qICGELs8QY'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, bShRCPUA85aPqi5ErA.csHigh entropy of concatenated method names: 'uKN3VjAZYr', 'VGd3XiXJHB', 'DcKlFYSvqX', 'FPPlCcEw6g', 'sRk30pZUn4', 'lNU3fuj2Fa', 'i8T3MNa1d8', 'i6o3JGQPTg', 'kLI32oDAGl', 'YPu3y5BUGI'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, RWQpfHSEOx55v2AXsT.csHigh entropy of concatenated method names: 'ARjvanPfxC', 'bHSvegOwY5', 'Kqpv4By6oY', 'h644XySfke', 'b854z4NNDr', 'iNwvFEm79X', 'R7MvCcmbFU', 'fjmvW0TDTE', 'g8NvoJoJ2l', 'DBfvHLGJTg'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, GkGQNKHwM86ImvAwMy.csHigh entropy of concatenated method names: 'SmwCvpKB5Y', 'j0nCTJNUGQ', 'udGCQaKXuH', 'JqVCOpK5Wr', 'x56C1t8KEp', 'yBnCxbCfLV', 'Wbc4dT9WdZpK4UiZ8y', 'LglmPwKGNUJTZ4154h', 'pZHCCTE8ll', 'peZCoughT7'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, ghMVAfyZqncHwCAPM8.csHigh entropy of concatenated method names: 'ToString', 'l0Vx0A2w18', 'FU5x82KkJo', 'vRZxKIFvAD', 'NLQxLXg2Eo', 'CWUxA2O8f3', 'aMXxrg45yy', 'DStxSiVjO1', 'irtxPYWIdh', 'jGvx9FTrYD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, TAqZSyRSlHj0UpOUpV.csHigh entropy of concatenated method names: 'rva3QddV3L', 'bJP3OcW8Co', 'ToString', 'sQd3aA03hB', 'Pmv3Ed9TpM', 'ljq3ed3GiX', 'epW3cq1NxG', 'AKv34N07eY', 'nr33vqgwiZ', 'Fpq3TAUqES'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, r2g65xEfUlBr2wCsxf.csHigh entropy of concatenated method names: 'Dispose', 'W5MCNMU2sx', 'okGW8osCuc', 'JuL0UhomAy', 'pDLCXhoh9x', 'P6GCzALHhA', 'ProcessDialogKey', 'SNkWFlXv9h', 'kNAWCBm5u9', 'NShWWBBmXi'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, H0lBo69uQbwdE1OeBQ.csHigh entropy of concatenated method names: 'rXSvdsd4AH', 'yVhvDVgfrA', 'NjGvjGVgmt', 'qBmvu7xXtJ', 'wRqvhgvxN7', 'wgUvpXqo8u', 'AUZvwfc2MX', 'P3Lvi8umYV', 'uBZvbHsyip', 'qtkvI3uHUV'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, Ynsrm5z00Fy3ofcU1H.csHigh entropy of concatenated method names: 'bc17p2VqjX', 'PE17iwOjhE', 'NZG7biaa1e', 'qJS7BMkSFU', 'qm6781aNrk', 'wUG7Le0IG0', 'O0k7AdWX6r', 'oRy7sBrhQ2', 'VOL7dY7KLX', 'uMr7DNL9bf'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, HEpDBnBbCfLVLeh3Ue.csHigh entropy of concatenated method names: 'WaY4gCNCcR', 'hAI4Em7bgT', 'LP94cdfdi9', 'e9w4vnLK5e', 'yRk4TD0Lc3', 'gsQcZGfMmp', 'qi1cUvBT1C', 'jTQc6PVhUO', 'bPEcVOoFra', 'OnIcNhqytc'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, oxC1yACFycpp0JvCall.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nh370lHmSY', 'Wdi7f1uxCg', 'geu7MdMU8d', 'RLW7JwwAkL', 'HtN72NaUdi', 'biu7yG99la', 'AO07R1mJux'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, FImpbKJLPYclrTaNoq.csHigh entropy of concatenated method names: 'pv315v9Rmg', 'Tlm1f2riXG', 'uCc1Jqs0uY', 'E0W12HulGT', 'WfB18isdpD', 'sfC1KKhxl7', 'LgU1LQxOAB', 'HER1AdWIpu', 'y1i1rYKFAM', 'Bh31SOphLb'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, fpJbAF6eiV5MMU2sxx.csHigh entropy of concatenated method names: 'EiQm1hSBJJ', 'BTUm3SdOGQ', 'qtommnUQdy', 'yiKmGUPWwq', 'egymkawj1M', 'PRcms4CNKq', 'Dispose', 'IfTlaLgrgY', 'bdklE2qMEp', 'a5FlexilvD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, vlXv9hNTNABm5u95Sh.csHigh entropy of concatenated method names: 'WNCmBvjr3A', 'lZwm8D9pCg', 'buwmK4IprU', 'vR2mLfeidy', 'cT4mAhsmYk', 'hTAmrMGcx8', 'kYCmSr0Trd', 'oqWmPFJZqJ', 'q7Rm939dwO', 'vBBm5MlSYR'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, Upx6ZnbdGaKXuHrqVp.csHigh entropy of concatenated method names: 'InmeuCMyxS', 'JYEepRNZTo', 'vIEeiayVIG', 'tYAebwweOo', 'st3e1OZuZd', 'Fp3exHwvY3', 'xWTe3V1JL3', 'jOMelN5V5u', 'BuLemrQctX', 'DDxe7I36Uw'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, GBmXiCX0K06WYKYAMC.csHigh entropy of concatenated method names: 'nMT7eU5wv2', 'VuL7cUieI5', 'srY74pkHNr', 'kAp7vrrdDB', 'MR67mfmaod', 'IXa7T6d2eX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, CpKB5Yi40nJNUGQi0x.csHigh entropy of concatenated method names: 'QUDEJiAp8d', 'Jy5E2QWZAS', 'JrnEyEwqaD', 'HZoERfiYVu', 'GqcEZ3IOc5', 'ktYEUuQHNO', 'd5PE623Yhh', 'w3KEVwCrBs', 'CRVENwYZiU', 'b1VEXPeQKB'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3ddc3b8.4.raw.unpack, OcwpJ5WHSmnFXs6YXy.csHigh entropy of concatenated method names: 'AHcjdAy9O', 'pOduguscZ', 'Rccpa2SiB', 'LL2wXsjGj', 'suvb3qvKx', 'no9IWOVuQ', 'zEk0waHf6HLMDtwtvg', 'j2Fes3NaRilGtN1hLY', 'Bq1lA9rfV', 'xrW7IV1FO'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, H5WrvcIpdIDx4s56t8.csHigh entropy of concatenated method names: 'Crpch2A4qq', 'w6ucwikw6Q', 'LtBeKlKF7U', 'QN3eLhqb2e', 'pOmeAUyseT', 'uI4er2ynJF', 'YTjeSUgHXq', 'GVnePEDNeP', 'Bxue9niomR', 'PFxe5e3YpP'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, cBQfocMBpUBmAehNx3.csHigh entropy of concatenated method names: 'ej9tisbO7n', 'MtGtbBb9RS', 'aZGtBSV8C7', 'Lhot8aCALL', 'OYutLfJC6B', 'b01tAhvDS5', 'BTUtSpZTdU', 'XhxtP5LmMq', 'asct5Z7ops', 'uqVt0igwWs'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, geF8IdT0lKjHIYOf0g.csHigh entropy of concatenated method names: 'LCOog9iHmo', 'iISoaXIdAX', 'G77oEYFqoS', 'Mxhoeoc6Gs', 'Lwuoc2Y02M', 'nTXo46oTN4', 'zDbovPFN55', 'q8hoTgfy47', 'JGToqEEncq', 'nT6oQL1gF6'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, XJ5kXdCCneGYSn0r6u7.csHigh entropy of concatenated method names: 'yXY7XcqGy4', 'rSw7zOJqi6', 'rlQGFLQiYa', 'sAjGCfKDUi', 'uMFGWrtIub', 'tibGoOEnDf', 'Bb9GHrRu9q', 'Iw3GgICPf9', 'uwqGaFRGtF', 'qICGELs8QY'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, bShRCPUA85aPqi5ErA.csHigh entropy of concatenated method names: 'uKN3VjAZYr', 'VGd3XiXJHB', 'DcKlFYSvqX', 'FPPlCcEw6g', 'sRk30pZUn4', 'lNU3fuj2Fa', 'i8T3MNa1d8', 'i6o3JGQPTg', 'kLI32oDAGl', 'YPu3y5BUGI'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, RWQpfHSEOx55v2AXsT.csHigh entropy of concatenated method names: 'ARjvanPfxC', 'bHSvegOwY5', 'Kqpv4By6oY', 'h644XySfke', 'b854z4NNDr', 'iNwvFEm79X', 'R7MvCcmbFU', 'fjmvW0TDTE', 'g8NvoJoJ2l', 'DBfvHLGJTg'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, GkGQNKHwM86ImvAwMy.csHigh entropy of concatenated method names: 'SmwCvpKB5Y', 'j0nCTJNUGQ', 'udGCQaKXuH', 'JqVCOpK5Wr', 'x56C1t8KEp', 'yBnCxbCfLV', 'Wbc4dT9WdZpK4UiZ8y', 'LglmPwKGNUJTZ4154h', 'pZHCCTE8ll', 'peZCoughT7'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, ghMVAfyZqncHwCAPM8.csHigh entropy of concatenated method names: 'ToString', 'l0Vx0A2w18', 'FU5x82KkJo', 'vRZxKIFvAD', 'NLQxLXg2Eo', 'CWUxA2O8f3', 'aMXxrg45yy', 'DStxSiVjO1', 'irtxPYWIdh', 'jGvx9FTrYD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, TAqZSyRSlHj0UpOUpV.csHigh entropy of concatenated method names: 'rva3QddV3L', 'bJP3OcW8Co', 'ToString', 'sQd3aA03hB', 'Pmv3Ed9TpM', 'ljq3ed3GiX', 'epW3cq1NxG', 'AKv34N07eY', 'nr33vqgwiZ', 'Fpq3TAUqES'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, r2g65xEfUlBr2wCsxf.csHigh entropy of concatenated method names: 'Dispose', 'W5MCNMU2sx', 'okGW8osCuc', 'JuL0UhomAy', 'pDLCXhoh9x', 'P6GCzALHhA', 'ProcessDialogKey', 'SNkWFlXv9h', 'kNAWCBm5u9', 'NShWWBBmXi'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, H0lBo69uQbwdE1OeBQ.csHigh entropy of concatenated method names: 'rXSvdsd4AH', 'yVhvDVgfrA', 'NjGvjGVgmt', 'qBmvu7xXtJ', 'wRqvhgvxN7', 'wgUvpXqo8u', 'AUZvwfc2MX', 'P3Lvi8umYV', 'uBZvbHsyip', 'qtkvI3uHUV'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, Ynsrm5z00Fy3ofcU1H.csHigh entropy of concatenated method names: 'bc17p2VqjX', 'PE17iwOjhE', 'NZG7biaa1e', 'qJS7BMkSFU', 'qm6781aNrk', 'wUG7Le0IG0', 'O0k7AdWX6r', 'oRy7sBrhQ2', 'VOL7dY7KLX', 'uMr7DNL9bf'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, HEpDBnBbCfLVLeh3Ue.csHigh entropy of concatenated method names: 'WaY4gCNCcR', 'hAI4Em7bgT', 'LP94cdfdi9', 'e9w4vnLK5e', 'yRk4TD0Lc3', 'gsQcZGfMmp', 'qi1cUvBT1C', 'jTQc6PVhUO', 'bPEcVOoFra', 'OnIcNhqytc'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, oxC1yACFycpp0JvCall.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nh370lHmSY', 'Wdi7f1uxCg', 'geu7MdMU8d', 'RLW7JwwAkL', 'HtN72NaUdi', 'biu7yG99la', 'AO07R1mJux'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, FImpbKJLPYclrTaNoq.csHigh entropy of concatenated method names: 'pv315v9Rmg', 'Tlm1f2riXG', 'uCc1Jqs0uY', 'E0W12HulGT', 'WfB18isdpD', 'sfC1KKhxl7', 'LgU1LQxOAB', 'HER1AdWIpu', 'y1i1rYKFAM', 'Bh31SOphLb'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, fpJbAF6eiV5MMU2sxx.csHigh entropy of concatenated method names: 'EiQm1hSBJJ', 'BTUm3SdOGQ', 'qtommnUQdy', 'yiKmGUPWwq', 'egymkawj1M', 'PRcms4CNKq', 'Dispose', 'IfTlaLgrgY', 'bdklE2qMEp', 'a5FlexilvD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, vlXv9hNTNABm5u95Sh.csHigh entropy of concatenated method names: 'WNCmBvjr3A', 'lZwm8D9pCg', 'buwmK4IprU', 'vR2mLfeidy', 'cT4mAhsmYk', 'hTAmrMGcx8', 'kYCmSr0Trd', 'oqWmPFJZqJ', 'q7Rm939dwO', 'vBBm5MlSYR'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, Upx6ZnbdGaKXuHrqVp.csHigh entropy of concatenated method names: 'InmeuCMyxS', 'JYEepRNZTo', 'vIEeiayVIG', 'tYAebwweOo', 'st3e1OZuZd', 'Fp3exHwvY3', 'xWTe3V1JL3', 'jOMelN5V5u', 'BuLemrQctX', 'DDxe7I36Uw'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, GBmXiCX0K06WYKYAMC.csHigh entropy of concatenated method names: 'nMT7eU5wv2', 'VuL7cUieI5', 'srY74pkHNr', 'kAp7vrrdDB', 'MR67mfmaod', 'IXa7T6d2eX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, CpKB5Yi40nJNUGQi0x.csHigh entropy of concatenated method names: 'QUDEJiAp8d', 'Jy5E2QWZAS', 'JrnEyEwqaD', 'HZoERfiYVu', 'GqcEZ3IOc5', 'ktYEUuQHNO', 'd5PE623Yhh', 'w3KEVwCrBs', 'CRVENwYZiU', 'b1VEXPeQKB'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.7600000.7.raw.unpack, OcwpJ5WHSmnFXs6YXy.csHigh entropy of concatenated method names: 'AHcjdAy9O', 'pOduguscZ', 'Rccpa2SiB', 'LL2wXsjGj', 'suvb3qvKx', 'no9IWOVuQ', 'zEk0waHf6HLMDtwtvg', 'j2Fes3NaRilGtN1hLY', 'Bq1lA9rfV', 'xrW7IV1FO'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, H5WrvcIpdIDx4s56t8.csHigh entropy of concatenated method names: 'Crpch2A4qq', 'w6ucwikw6Q', 'LtBeKlKF7U', 'QN3eLhqb2e', 'pOmeAUyseT', 'uI4er2ynJF', 'YTjeSUgHXq', 'GVnePEDNeP', 'Bxue9niomR', 'PFxe5e3YpP'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, cBQfocMBpUBmAehNx3.csHigh entropy of concatenated method names: 'ej9tisbO7n', 'MtGtbBb9RS', 'aZGtBSV8C7', 'Lhot8aCALL', 'OYutLfJC6B', 'b01tAhvDS5', 'BTUtSpZTdU', 'XhxtP5LmMq', 'asct5Z7ops', 'uqVt0igwWs'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, geF8IdT0lKjHIYOf0g.csHigh entropy of concatenated method names: 'LCOog9iHmo', 'iISoaXIdAX', 'G77oEYFqoS', 'Mxhoeoc6Gs', 'Lwuoc2Y02M', 'nTXo46oTN4', 'zDbovPFN55', 'q8hoTgfy47', 'JGToqEEncq', 'nT6oQL1gF6'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, XJ5kXdCCneGYSn0r6u7.csHigh entropy of concatenated method names: 'yXY7XcqGy4', 'rSw7zOJqi6', 'rlQGFLQiYa', 'sAjGCfKDUi', 'uMFGWrtIub', 'tibGoOEnDf', 'Bb9GHrRu9q', 'Iw3GgICPf9', 'uwqGaFRGtF', 'qICGELs8QY'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, bShRCPUA85aPqi5ErA.csHigh entropy of concatenated method names: 'uKN3VjAZYr', 'VGd3XiXJHB', 'DcKlFYSvqX', 'FPPlCcEw6g', 'sRk30pZUn4', 'lNU3fuj2Fa', 'i8T3MNa1d8', 'i6o3JGQPTg', 'kLI32oDAGl', 'YPu3y5BUGI'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, RWQpfHSEOx55v2AXsT.csHigh entropy of concatenated method names: 'ARjvanPfxC', 'bHSvegOwY5', 'Kqpv4By6oY', 'h644XySfke', 'b854z4NNDr', 'iNwvFEm79X', 'R7MvCcmbFU', 'fjmvW0TDTE', 'g8NvoJoJ2l', 'DBfvHLGJTg'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, GkGQNKHwM86ImvAwMy.csHigh entropy of concatenated method names: 'SmwCvpKB5Y', 'j0nCTJNUGQ', 'udGCQaKXuH', 'JqVCOpK5Wr', 'x56C1t8KEp', 'yBnCxbCfLV', 'Wbc4dT9WdZpK4UiZ8y', 'LglmPwKGNUJTZ4154h', 'pZHCCTE8ll', 'peZCoughT7'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, ghMVAfyZqncHwCAPM8.csHigh entropy of concatenated method names: 'ToString', 'l0Vx0A2w18', 'FU5x82KkJo', 'vRZxKIFvAD', 'NLQxLXg2Eo', 'CWUxA2O8f3', 'aMXxrg45yy', 'DStxSiVjO1', 'irtxPYWIdh', 'jGvx9FTrYD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, TAqZSyRSlHj0UpOUpV.csHigh entropy of concatenated method names: 'rva3QddV3L', 'bJP3OcW8Co', 'ToString', 'sQd3aA03hB', 'Pmv3Ed9TpM', 'ljq3ed3GiX', 'epW3cq1NxG', 'AKv34N07eY', 'nr33vqgwiZ', 'Fpq3TAUqES'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, r2g65xEfUlBr2wCsxf.csHigh entropy of concatenated method names: 'Dispose', 'W5MCNMU2sx', 'okGW8osCuc', 'JuL0UhomAy', 'pDLCXhoh9x', 'P6GCzALHhA', 'ProcessDialogKey', 'SNkWFlXv9h', 'kNAWCBm5u9', 'NShWWBBmXi'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, H0lBo69uQbwdE1OeBQ.csHigh entropy of concatenated method names: 'rXSvdsd4AH', 'yVhvDVgfrA', 'NjGvjGVgmt', 'qBmvu7xXtJ', 'wRqvhgvxN7', 'wgUvpXqo8u', 'AUZvwfc2MX', 'P3Lvi8umYV', 'uBZvbHsyip', 'qtkvI3uHUV'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, Ynsrm5z00Fy3ofcU1H.csHigh entropy of concatenated method names: 'bc17p2VqjX', 'PE17iwOjhE', 'NZG7biaa1e', 'qJS7BMkSFU', 'qm6781aNrk', 'wUG7Le0IG0', 'O0k7AdWX6r', 'oRy7sBrhQ2', 'VOL7dY7KLX', 'uMr7DNL9bf'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, HEpDBnBbCfLVLeh3Ue.csHigh entropy of concatenated method names: 'WaY4gCNCcR', 'hAI4Em7bgT', 'LP94cdfdi9', 'e9w4vnLK5e', 'yRk4TD0Lc3', 'gsQcZGfMmp', 'qi1cUvBT1C', 'jTQc6PVhUO', 'bPEcVOoFra', 'OnIcNhqytc'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, oxC1yACFycpp0JvCall.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Nh370lHmSY', 'Wdi7f1uxCg', 'geu7MdMU8d', 'RLW7JwwAkL', 'HtN72NaUdi', 'biu7yG99la', 'AO07R1mJux'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, FImpbKJLPYclrTaNoq.csHigh entropy of concatenated method names: 'pv315v9Rmg', 'Tlm1f2riXG', 'uCc1Jqs0uY', 'E0W12HulGT', 'WfB18isdpD', 'sfC1KKhxl7', 'LgU1LQxOAB', 'HER1AdWIpu', 'y1i1rYKFAM', 'Bh31SOphLb'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, fpJbAF6eiV5MMU2sxx.csHigh entropy of concatenated method names: 'EiQm1hSBJJ', 'BTUm3SdOGQ', 'qtommnUQdy', 'yiKmGUPWwq', 'egymkawj1M', 'PRcms4CNKq', 'Dispose', 'IfTlaLgrgY', 'bdklE2qMEp', 'a5FlexilvD'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, vlXv9hNTNABm5u95Sh.csHigh entropy of concatenated method names: 'WNCmBvjr3A', 'lZwm8D9pCg', 'buwmK4IprU', 'vR2mLfeidy', 'cT4mAhsmYk', 'hTAmrMGcx8', 'kYCmSr0Trd', 'oqWmPFJZqJ', 'q7Rm939dwO', 'vBBm5MlSYR'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, Upx6ZnbdGaKXuHrqVp.csHigh entropy of concatenated method names: 'InmeuCMyxS', 'JYEepRNZTo', 'vIEeiayVIG', 'tYAebwweOo', 'st3e1OZuZd', 'Fp3exHwvY3', 'xWTe3V1JL3', 'jOMelN5V5u', 'BuLemrQctX', 'DDxe7I36Uw'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, GBmXiCX0K06WYKYAMC.csHigh entropy of concatenated method names: 'nMT7eU5wv2', 'VuL7cUieI5', 'srY74pkHNr', 'kAp7vrrdDB', 'MR67mfmaod', 'IXa7T6d2eX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, CpKB5Yi40nJNUGQi0x.csHigh entropy of concatenated method names: 'QUDEJiAp8d', 'Jy5E2QWZAS', 'JrnEyEwqaD', 'HZoERfiYVu', 'GqcEZ3IOc5', 'ktYEUuQHNO', 'd5PE623Yhh', 'w3KEVwCrBs', 'CRVENwYZiU', 'b1VEXPeQKB'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3e2f1d8.3.raw.unpack, OcwpJ5WHSmnFXs6YXy.csHigh entropy of concatenated method names: 'AHcjdAy9O', 'pOduguscZ', 'Rccpa2SiB', 'LL2wXsjGj', 'suvb3qvKx', 'no9IWOVuQ', 'zEk0waHf6HLMDtwtvg', 'j2Fes3NaRilGtN1hLY', 'Bq1lA9rfV', 'xrW7IV1FO'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
                  Source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exe
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: \ci-pl- hbl# wspae1311198 vsl# cosco netherlands v-067e.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 5320, type: MEMORYSTR
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 92C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 77A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: A2C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: B2C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeWindow / User API: threadDelayed 5835Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeWindow / User API: threadDelayed 3980Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7247Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2441Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6410Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3258Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7706Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2010Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7760
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1386
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe TID: 4304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe TID: 6312Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe TID: 2184Thread sleep count: 5835 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe TID: 2184Thread sleep count: 3980 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4976Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1048Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5320Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2724Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6792Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6088Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4575967408.000000000161F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe "C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2118237404.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2120973463.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002CCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4586866118.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 5320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 5432, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.3c624c8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.5470000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2cdd7f0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2118237404.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2120973463.0000000005470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002CCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 3.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2ca3b10.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.2c4ba6c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4586866118.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 5320, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe PID: 5432, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		2
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping211
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		2
                  Registry Run Keys / Startup Folder                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564682 Sample: CI-PL- HBL# WSPAE1311198 VS... Startdate: 28/11/2024 Architecture: WINDOWS Score: 100 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 19 other signatures 2->47 8 CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe 3 2->8         started        process3 file4 33 CI-PL- HBL# WSPAE1... V-067E.scr.exe.log, ASCII 8->33 dropped 11 CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe 6 8->11         started        process5 dnsIp6 37 104.250.180.178, 49748, 7061 M247GB United States 11->37 35 C:\Users\user\AppData\Roaming\XClient.exe, PE32 11->35 dropped 49 Adds a directory exclusion to Windows Defender 11->49 16 powershell.exe 23 11->16         started        19 powershell.exe 23 11->19         started        21 powershell.exe 23 11->21         started        23 powershell.exe 11->23         started        file7 signatures8 process9 signatures10 39 Loading BitLocker PowerShell Module 16->39 25 conhost.exe 16->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe50%ReversingLabsByteCode-MSIL.Trojan.Remcos
                  CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe100%AviraHEUR/AGEN.1307356
                  CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\XClient.exe100%AviraHEUR/AGEN.1307356
                  C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\XClient.exe50%ReversingLabsByteCode-MSIL.Trojan.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.microsoftNR0%Avira URL Cloudsafe
                  http://crl.mw0%Avira URL Cloudsafe
                  https://ion=4.zu0%Avira URL Cloudsafe
                  https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  104.250.180.178false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2176648442.0000000006147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218190584.0000000005E87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.micropowershell.exe, 00000004.00000002.2179853697.0000000007C6D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.2171843050.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2171843050.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.0000000004281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004D81000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.microsoftpowershell.exe, 00000007.00000002.2226109028.000000000896E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://go.micropowershell.exe, 00000007.00000002.2208523240.000000000560E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.000000000577E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.000000000548D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.mwpowershell.exe, 0000000B.00000002.2336909352.000000000870A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.2171843050.0000000005236000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2176648442.0000000006147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2218190584.0000000005E87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.microsoft.copowershell.exe, 00000009.00000002.2272844787.0000000007D61000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2324964262.0000000005DE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cacCI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, XClient.exe.3.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.microsoft.powershell.exe, 00000009.00000002.2272844787.0000000007DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe, 00000003.00000002.4586866118.0000000003351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2171843050.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2208523240.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2246761414.0000000004281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2300039544.0000000004D81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2300039544.0000000004ED6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ion=4.zupowershell.exe, 00000009.00000002.2272844787.0000000007D61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://crl.microsoftNRpowershell.exe, 0000000B.00000002.2336268783.0000000008701000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      104.250.180.178
                                                      		unknownUnited States
                                                      		9009M247GBtrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1564682
                                                      Start date and time:2024-11-28 17:41:07 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 46s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:17
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@15/21@0/1
                                                      EGA Information:
                                                      • Successful, ratio: 66.7%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 310
                                                      • Number of non-executed functions: 4
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 6492 because it is empty
                                                      • Execution Graph export aborted for target powershell.exe, PID 672 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      11:42:00API Interceptor8257710x Sleep call for process: CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe modified
                                                      11:42:05API Interceptor39x Sleep call for process: powershell.exe modified
                                                      17:42:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      104.250.180.178Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                                        PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                                          rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                            rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                              ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                                                                SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exeGet hashmaliciousRemcosBrowse
                                                                  ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                                                    ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                                      F41355 SO 7670 HBL EXPRESS RELEASEpdf.pdf.scr.exeGet hashmaliciousXWormBrowse
                                                                        DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse

                                                                          Domains

                                                                          No context

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          M247GBloligang.x86-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                          • 38.95.109.118
                                                                          nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                          • 38.206.86.187
                                                                          nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                          • 45.74.38.161
                                                                          mips.elfGet hashmaliciousUnknownBrowse
                                                                          • 77.36.125.131
                                                                          akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                          • 154.17.91.183
                                                                          Mail-Manager.jarGet hashmaliciousUnknownBrowse
                                                                          • 184.174.97.32
                                                                          nklsh4.elfGet hashmaliciousUnknownBrowse
                                                                          • 194.71.126.13
                                                                          splm68k.elfGet hashmaliciousUnknownBrowse
                                                                          • 193.43.20.63
                                                                          nklx86.elfGet hashmaliciousUnknownBrowse
                                                                          • 196.19.8.215
                                                                          file.exeGet hashmaliciousPureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty StealerBrowse
                                                                          • 185.244.212.106

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.34331486778365
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):2232
                                                                          Entropy (8bit):5.380192968514367
                                                                          Encrypted:false
                                                                          SSDEEP:48:SWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZvUyus:SLHyIFKL3IZ2KRH9OugMs
                                                                          MD5:9CAD83B6F040DDBE9CB99F834A17FDDE
                                                                          SHA1:86B6B188C094404E421288142B2275463D219564
                                                                          SHA-256:5B77D34802EC77C368D6286D0088012EE2922EC2C5F58B9260C56002E0DA024C
                                                                          SHA-512:2D701C5B6E62801CBC9E4CEFBB656146BE6F69556710FFE2A38717A6BA2BD28ECAF147C252C12908846B9BE01E1ED6B0AC1D52579D8982DA7510CCDE49E99CBE
                                                                          Malicious:false
                                                                          Preview:@...e.................................K..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):29
                                                                          Entropy (8bit):3.598349098128234
                                                                          Encrypted:false
                                                                          SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                          MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                          SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                          SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                          SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                          Malicious:false
                                                                          Preview:....### explorer ###..[WIN]r

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ukrh24e.ot2.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uwso3fo.ozg.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ekln1os.3jl.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdo5mjji.4vd.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzei4im3.jey.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clonegug.jwi.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyd0srdr.bj1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyzhal1y.1yc.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3hvjg2l.rz1.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_is4o1cyh.0vq.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq20dbss.izd.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt5egq3g.dqg.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyzle0dl.bqe.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxjotax3.3ei.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y42ykakf.btz.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztya2oix.wgp.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 28 15:42:24 2024, mtime=Thu Nov 28 15:42:24 2024, atime=Thu Nov 28 15:42:24 2024, length=676864, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):767
                                                                          Entropy (8bit):5.0703592824729595
                                                                          Encrypted:false
                                                                          SSDEEP:12:8ruum24yDBpnu8ChBrAlXIsY//SYmELTjAsNuX+Hka/pAamV:8YyXD8AlXU/mm3AsMXFqp1m
                                                                          MD5:434D860E9049F139E217664A4D8D73B1
                                                                          SHA1:C0C64D96B2D3C65F544C8305095A0A43886E9723
                                                                          SHA-256:FA9064E7DA5B3C61636E3BD223237032A68B4F19D6137554ABE36B03578E42AE
                                                                          SHA-512:67A076CCA7122891C5EE6DA2BFC77F354CA9C039A511BFF1618EF33B699778056DB622F410082A9726334518EB5256885ABC2EE29E20BD4B66D2229356B3832D
                                                                          Malicious:false
                                                                          Preview:L..................F.... ...#.e..A..#.e..A..#.e..A...T......................v.:..DG..Yr?.D..U..k0.&...&.......$..S...H..n.A..U.m..A......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2|Y=............................^.A.p.p.D.a.t.a...B.V.1.....|Y;...Roaming.@......EW<2|Y;...../.....................`Be.R.o.a.m.i.n.g.....b.2..T..|YM. .XClient.exe.H......|YM.|YM.....H.........................X.C.l.i.e.n.t...e.x.e.......\...............-.......[............9.......C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......897506...........hT..CrF.f4... .......-...-$..hT..CrF.f4... .......-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                          C:\Users\user\AppData\Roaming\XClient.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):676864
                                                                          Entropy (8bit):7.761548637420002
                                                                          Encrypted:false
                                                                          SSDEEP:12288:t2sv+SGjpA3yKUUo6aGCvzCnYb+iXM6saac3gFdt8pN8FRXd5FxYCOb8keqWrmJ+:t2xj7LCnYnM3+WWsHyb8kezriVkB9
                                                                          MD5:85CD120B5698E12FDA1E27B8CA8D4F99
                                                                          SHA1:E9F66E5C3DC28B0AE844BE5BB2D967A17B16C57E
                                                                          SHA-256:EF257E45AB2EF35A61DB240928EA20173FB81A534FBC50A0ECD3667F76C9DC1E
                                                                          SHA-512:11B910501D6667C8F975B7F88F48F757448DA081646A0AEDC7FF83E653E3FCA9801F7DFECB51FE498EF20E5DDA56E135DFED3A8085E16AE9F85CF89B78E3C469
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ... ....@.. ....................................@.................................@...O.... ...Y........................................................................... ............... ..H............text........ ...................... ..`.rsrc....Y... ...Z..................@..@.reloc...............R..............@..B................t.......H.......P<...5......$....q..X...........................................z..}.....(........}.....(.....*..*...0............{.....+..*&...}....*...0............{....o.....+..*....0..B.........{...., .{....o....,..(....o..........+....,...(....o....oB.....*...0..B.........{...., .{....o....,..(....o..........+....,...(....o....oD.....*..r...p.{....%-.&.+.o....(....(....&*..0..E.........{....o.........,1...}.....(.....{....o ...o!.....(....o....oB.....*>..{.....o"....**...(#....*

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.761548637420002
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          File size:676'864 bytes
                                                                          MD5:85cd120b5698e12fda1e27b8ca8d4f99
                                                                          SHA1:e9f66e5c3dc28b0ae844be5bb2d967a17b16c57e
                                                                          SHA256:ef257e45ab2ef35a61db240928ea20173fb81a534fbc50a0ecd3667f76c9dc1e
                                                                          SHA512:11b910501d6667c8f975b7f88f48f757448da081646a0aedc7ff83e653e3fca9801f7dfecb51fe498ef20e5dda56e135dfed3a8085e16ae9f85cf89b78e3c469
                                                                          SSDEEP:12288:t2sv+SGjpA3yKUUo6aGCvzCnYb+iXM6saac3gFdt8pN8FRXd5FxYCOb8keqWrmJ+:t2xj7LCnYnM3+WWsHyb8kezriVkB9
                                                                          TLSH:B5E40260569FE906C8D617B409B3E7F45674CCC8E911C70B6BE57EEFBD2B21628803A0
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0......\........... ... ....@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:099bce4dd131078e

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4a1492
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6747D4C9 [Thu Nov 28 02:26:17 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          adc dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [esi], bh
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+00h], al
                                                                          add byte ptr [eax], al
                                                                          push edi
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebp+00h], bl
                                                                          add byte ptr [eax], al
                                                                          pop edi
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edx+00h], ah
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [esi], cl
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edi], bl
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edx], ch
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+eax+00h], dl
                                                                          add byte ptr [ebx+00h], al
                                                                          add byte ptr [eax], al
                                                                          pop ebx
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+eax+00h], ah
                                                                          add byte ptr [ecx], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+eax], al
                                                                          add byte ptr [eax], al
                                                                          or dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          adc eax, 1C000000h
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebx], dh
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edi+00h], al
                                                                          add byte ptr [eax], al
                                                                          push eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edi], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [edx], ah
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebx], dl
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax+eax], bh
                                                                          add byte ptr [eax], al
                                                                          sbb byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          dec ecx
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ebx+00h], cl
                                                                          add byte ptr [eax], al
                                                                          dec edi
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa14400x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x59f4.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x9f5180x9f600e32c98bde96184fb77098f4c7a0d1ca1False0.9024203431372549data7.759895673632601IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xa20000x59f40x5a00e1b0c8932508807520f02eae3e9f7cd8False0.9310763888888889data7.858071770855054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xa80000xc0x200e251393f2265dcc3208be973dcc307a3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0xa21000x531aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.968083106138949
                                                                          RT_GROUP_ICON0xa742c0x14data1.05
                                                                          RT_VERSION0xa74500x3a4data0.43776824034334766
                                                                          RT_MANIFEST0xa78040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-11-28T17:42:41.710405+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:42:42.269526+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:42:42.285243+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:42:55.557397+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:42:55.559295+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:42:58.269243+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:42:58.269243+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:08.727096+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:08.728779+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:21.970217+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:21.974000+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:28.260552+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:28.260552+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:33.180304+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:33.181765+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:41.790524+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:41.796704+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:47.203499+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:47.204999+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:47.457940+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:47.459389+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:47.691961+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:47.816489+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:47.981862+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:47.984977+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:54.680830+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:54.682766+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:43:58.260962+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:43:58.260962+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:02.340869+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:02.346742+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:05.533325+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:05.569910+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:13.678690+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:13.681144+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:17.781959+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:17.789565+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:21.291150+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:21.292632+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:24.363102+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:24.365683+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:25.426495+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:25.428511+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:25.641364+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:25.645453+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:28.261733+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:28.261733+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:30.081400+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:30.084359+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:31.088694+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:32.121146+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:32.122763+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:33.096234+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:33.097596+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:35.217129+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:35.218824+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:35.454377+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:35.570416+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:35.754605+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:35.874812+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:36.111670+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:36.116029+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:45.651595+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:45.654168+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:48.242671+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:48.244142+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:44:58.253361+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:44:58.253361+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:01.342309+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:01.344121+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:01.631973+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:01.633646+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:01.918378+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:06.432176+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:06.434737+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:11.792760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:11.798568+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:12.077694+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:12.102721+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:12.303031+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:12.394560+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:14.591580+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:15.382337+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:15.383669+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:25.182792+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:25.186779+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:28.262193+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:28.262193+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:29.532597+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:29.534859+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:38.649104+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:38.651080+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:50.660755+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:50.749253+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:53.442714+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:53.507263+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:54.992763+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:54.995291+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:56.772888+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:56.774352+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:45:58.252760+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:45:58.252760+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:46:03.512691+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:46:03.514478+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP
                                                                          2024-11-28T17:46:11.106438+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649748TCP
                                                                          2024-11-28T17:46:11.108933+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649748104.250.180.1787061TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 28, 2024 17:42:28.196266890 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:28.322961092 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:28.323050022 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:28.422564030 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:28.548778057 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:41.710405111 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:41.831430912 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:42.269526005 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:42.285243034 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:42.405965090 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:54.932893991 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:55.056366920 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:55.557396889 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:55.559294939 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:42:55.685722113 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:58.269243002 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:42:58.323134899 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:08.167421103 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:08.287431955 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:08.727096081 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:08.728779078 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:08.849858046 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:21.402107954 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:21.522634983 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:21.970216990 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:21.973999977 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:22.095319986 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:28.260551929 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:28.308125973 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:32.621048927 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:32.743336916 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:33.180304050 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:33.181765079 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:33.301876068 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:41.230554104 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:41.350590944 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:41.790524006 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:41.796704054 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:41.921166897 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:46.605787992 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:46.726026058 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:46.726083040 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:46.846167088 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:46.846213102 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:46.968452930 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:46.968502998 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:47.089896917 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.203499079 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.204998970 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:47.328618050 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.457940102 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.459388971 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:47.584651947 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.690495968 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.691961050 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:47.816395044 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.816488981 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:47.938954115 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.981862068 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:47.984977007 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:48.106899977 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:54.123137951 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:54.249356985 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:54.680830002 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:54.682765961 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:43:54.807806015 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:58.260962009 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:43:58.339976072 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:01.746700048 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:01.866962910 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:02.340868950 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:02.346741915 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:02.470606089 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:04.949949026 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:05.075299978 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:05.533324957 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:05.569910049 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:05.707488060 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:13.106266975 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:13.226351976 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:13.678689957 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:13.681143999 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:13.801362038 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:17.200299025 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:17.320525885 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:17.781959057 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:17.789565086 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:17.909761906 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:20.715698957 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:20.835741043 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:21.291150093 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:21.292632103 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:21.412587881 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:23.762587070 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:23.882781029 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:24.363101959 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:24.365683079 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:24.485763073 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:24.794023991 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:24.918714046 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:24.950417042 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:25.070763111 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:25.426495075 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:25.428510904 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:25.548980951 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:25.641364098 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:25.645452976 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:25.765491009 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:28.261733055 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:28.309287071 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:28.809879065 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:28.934436083 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:28.934484005 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:29.054712057 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:29.054759979 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:29.177869081 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:30.081399918 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:30.084358931 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:30.207792997 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:30.387969971 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:30.508243084 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:31.087241888 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:31.088694096 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:31.209204912 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:31.209323883 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:31.329400063 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:32.121145964 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:32.122762918 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:32.243254900 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:32.243339062 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:32.363482952 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:33.096234083 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:33.097595930 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:33.217778921 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:34.513417006 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:34.639043093 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:34.669281006 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:34.792381048 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:34.792432070 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:34.912622929 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.217128992 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.218823910 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.343563080 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.450341940 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.454376936 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.497011900 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.570344925 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.570415974 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.692073107 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.751652002 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.754605055 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.874624968 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:35.874811888 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:35.995045900 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:36.111670017 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:36.116029024 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:36.238372087 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:45.091445923 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:45.213438988 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:45.651595116 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:45.654167891 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:45.780369043 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:47.638000011 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:47.760845900 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:48.242671013 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:48.244142056 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:44:48.364193916 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:58.253360987 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:44:58.294332027 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:00.763309956 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:00.885891914 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:00.885943890 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:01.011693954 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.011745930 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:01.133682013 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.342308998 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.344120979 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:01.464117050 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.631973028 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.633646011 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:01.756508112 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.911479950 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:01.918378115 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:02.040651083 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:02.042669058 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:02.164537907 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:05.810213089 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:05.935713053 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:06.432176113 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:06.434736967 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:06.555226088 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:11.201260090 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:11.325251102 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:11.325298071 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:11.445205927 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:11.482378006 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:11.615612030 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:11.792759895 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:11.798568010 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:11.918987989 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:12.077693939 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:12.102720976 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:12.229830980 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:12.303030968 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:12.358128071 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:12.394560099 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:12.514728069 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:14.591579914 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:14.712333918 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:15.382337093 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:15.383668900 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:15.503760099 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:24.623074055 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:24.745034933 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:25.182791948 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:25.186779022 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:25.306929111 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:28.262192965 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:28.310360909 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:28.970851898 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:29.097794056 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:29.532597065 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:29.534858942 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:29.654800892 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:38.076510906 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:38.196641922 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:38.649104118 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:38.651079893 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:38.771462917 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:50.029813051 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:50.172651052 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:50.660754919 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:50.717041969 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:50.749253035 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:50.871668100 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:52.873662949 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:52.996972084 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:53.442713976 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:53.484569073 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:53.507262945 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:53.627327919 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:54.420444965 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:54.540472984 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:54.992763042 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:54.995290995 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:55.115981102 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:56.174153090 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:56.296178102 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:56.772887945 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:56.774352074 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:45:56.894310951 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:58.252759933 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:45:58.295237064 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:46:02.920654058 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:46:03.045361042 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:46:03.512691021 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:46:03.514477968 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:46:03.634411097 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:46:10.530046940 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:46:10.656966925 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:46:11.106437922 CET706149748104.250.180.178192.168.2.6
                                                                          Nov 28, 2024 17:46:11.108932972 CET497487061192.168.2.6104.250.180.178
                                                                          Nov 28, 2024 17:46:11.231205940 CET706149748104.250.180.178192.168.2.6

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:11:41:59
                                                                          Start date:28/11/2024
                                                                          Path:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
                                                                          Imagebase:0x800000
                                                                          File size:676'864 bytes
                                                                          MD5 hash:85CD120B5698E12FDA1E27B8CA8D4F99
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2117918407.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2118237404.0000000003C49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2120973463.0000000005470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2117918407.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2117918407.0000000002CCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:11:42:00
                                                                          Start date:28/11/2024
                                                                          Path:C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe"
                                                                          Imagebase:0xfe0000
                                                                          File size:676'864 bytes
                                                                          MD5 hash:85CD120B5698E12FDA1E27B8CA8D4F99
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4573806671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4586866118.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:4
                                                                          Start time:11:42:04
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                                                                          Imagebase:0x330000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:11:42:04
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:11:42:08
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exe'
                                                                          Imagebase:0x330000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:11:42:08
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:11:42:12
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                          Imagebase:0x330000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:11:42:12
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:11:42:17
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                          Imagebase:0x330000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:11:42:17
                                                                          Start date:28/11/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:10%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:33
                                                                            Total number of Limit Nodes:3
                                                                            execution_graph 15716 ec4668 15717 ec4684 15716->15717 15718 ec46a4 15717->15718 15720 ec4838 15717->15720 15721 ec485d 15720->15721 15725 ec4948 15721->15725 15729 ec4937 15721->15729 15727 ec496f 15725->15727 15726 ec4a4c 15726->15726 15727->15726 15733 ec4544 15727->15733 15730 ec496f 15729->15730 15731 ec4544 CreateActCtxA 15730->15731 15732 ec4a4c 15730->15732 15731->15732 15734 ec5dd8 CreateActCtxA 15733->15734 15736 ec5e9b 15734->15736 15737 ecd7a8 DuplicateHandle 15738 ecd83e 15737->15738 15739 ecd560 15740 ecd5a6 GetCurrentProcess 15739->15740 15742 ecd5f8 GetCurrentThread 15740->15742 15743 ecd5f1 15740->15743 15744 ecd62e 15742->15744 15745 ecd635 GetCurrentProcess 15742->15745 15743->15742 15744->15745 15748 ecd66b 15745->15748 15746 ecd693 GetCurrentThreadId 15747 ecd6c4 15746->15747 15748->15746 15749 ecb1d0 15752 ecb2b7 15749->15752 15750 ecb1df 15753 ecb2fc 15752->15753 15754 ecb2d9 15752->15754 15753->15750 15754->15753 15755 ecb500 GetModuleHandleW 15754->15755 15756 ecb52d 15755->15756 15756->15750

                                                                            Executed Functions

                                                                            Function 00EC43E8 Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1149 ec43e8-ec7085 1152 ec708c-ec72f4 call ec5a80 call ec5a90 call ec01f0 * 3 1149->1152 1153 ec7087 1149->1153 1191 ec72fc-ec7312 1152->1191 1153->1152
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f590cf66b5dbfec482af23cfc53adf74965a9c02bebc60da6358d640d7558488
                                                                            • Instruction ID: a901fca8fcc5f6a44d65d93b2b86133eea446740a7e202fc5920ca26c475ee20
                                                                            • Opcode Fuzzy Hash: f590cf66b5dbfec482af23cfc53adf74965a9c02bebc60da6358d640d7558488
                                                                            • Instruction Fuzzy Hash: 6281AF74E012088FDB54DFE9C8A0AEEBBB2BF88310F249169D919BB365DB3159418F50
                                                                            Function 00EC7051 Relevance: .2, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c51974696a3b298e3530ccd3d2f1b0550cf172abc13652f06578a55277a24747
                                                                            • Instruction ID: 2f397561997143eae5369356fcdf4dca632529ef519b821131304c6d171651d5
                                                                            • Opcode Fuzzy Hash: c51974696a3b298e3530ccd3d2f1b0550cf172abc13652f06578a55277a24747
                                                                            • Instruction Fuzzy Hash: 2B81AF74E012088FDB54DFE9C890AEEBBB2BF88310F248169D919BB365DB315941CF50
                                                                            Function 00ECD550 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 00ECD5DE
                                                                            • GetCurrentThread.KERNEL32 ref: 00ECD61B
                                                                            • GetCurrentProcess.KERNEL32 ref: 00ECD658
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00ECD6B1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: abd4a7e54a8aa7039b5f08cd0b0d6a21c9c39544063811f6664fcd147d4dd8b1
                                                                            • Instruction ID: d18fecb52850e51048234ac7a6e4dfa3d1c39dae57e6d156cc6f2a3f1d751e43
                                                                            • Opcode Fuzzy Hash: abd4a7e54a8aa7039b5f08cd0b0d6a21c9c39544063811f6664fcd147d4dd8b1
                                                                            • Instruction Fuzzy Hash: 235169B0900349CFDB14CFA9D948B9EBBF1AF88318F20806DE459A7360D7765944CB65
                                                                            Function 00ECD560 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 00ECD5DE
                                                                            • GetCurrentThread.KERNEL32 ref: 00ECD61B
                                                                            • GetCurrentProcess.KERNEL32 ref: 00ECD658
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00ECD6B1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: fc20f3f97987e8e8c285b03c28d2e2aabb5267bbd5ffc6a8978d592c890fafa8
                                                                            • Instruction ID: b14b1861151b29052e2b1c8425e4323830cf5ec7d991097ba0ff321db13a7241
                                                                            • Opcode Fuzzy Hash: fc20f3f97987e8e8c285b03c28d2e2aabb5267bbd5ffc6a8978d592c890fafa8
                                                                            • Instruction Fuzzy Hash: DB5157B0900349CFDB54CFA9D548BAEBBF1EB88308F20806DE459B7360D7769944CB65
                                                                            Function 00ECB2B7 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 46 ecb2b7-ecb2d7 47 ecb2d9-ecb2e6 call ec9d40 46->47 48 ecb303-ecb307 46->48 53 ecb2fc 47->53 54 ecb2e8 47->54 50 ecb309-ecb313 48->50 51 ecb31b-ecb35c 48->51 50->51 57 ecb35e-ecb366 51->57 58 ecb369-ecb377 51->58 53->48 101 ecb2ee call ecb560 54->101 102 ecb2ee call ecb550 54->102 57->58 59 ecb379-ecb37e 58->59 60 ecb39b-ecb39d 58->60 62 ecb389 59->62 63 ecb380-ecb387 call ecaf58 59->63 65 ecb3a0-ecb3a7 60->65 61 ecb2f4-ecb2f6 61->53 64 ecb438-ecb4f8 61->64 67 ecb38b-ecb399 62->67 63->67 96 ecb4fa-ecb4fd 64->96 97 ecb500-ecb52b GetModuleHandleW 64->97 68 ecb3a9-ecb3b1 65->68 69 ecb3b4-ecb3bb 65->69 67->65 68->69 71 ecb3bd-ecb3c5 69->71 72 ecb3c8-ecb3d1 call ecaf68 69->72 71->72 77 ecb3de-ecb3e3 72->77 78 ecb3d3-ecb3db 72->78 79 ecb3e5-ecb3ec 77->79 80 ecb401-ecb405 77->80 78->77 79->80 82 ecb3ee-ecb3fe call ecaf78 call ecaf88 79->82 103 ecb408 call ecb860 80->103 104 ecb408 call ecb830 80->104 82->80 85 ecb40b-ecb40e 87 ecb410-ecb42e 85->87 88 ecb431-ecb437 85->88 87->88 96->97 98 ecb52d-ecb533 97->98 99 ecb534-ecb548 97->99 98->99 101->61 102->61 103->85 104->85
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB51E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 053efc663212ee73da1de03fa686dcca2be3f9bc5ae0c4197c6f374f8c7d5de1
                                                                            • Instruction ID: 4294a6e15ad63bbb19262eb003d6469e83cbcff2a8242f4c4d46e0a41204756a
                                                                            • Opcode Fuzzy Hash: 053efc663212ee73da1de03fa686dcca2be3f9bc5ae0c4197c6f374f8c7d5de1
                                                                            • Instruction Fuzzy Hash: 00816870A00B458FD724DF69D541B9ABBF1FF88304F008A2DE09AE7650D776E846CB91
                                                                            Function 00EC4544 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 105 ec4544-ec5e99 CreateActCtxA 108 ec5e9b-ec5ea1 105->108 109 ec5ea2-ec5efc 105->109 108->109 116 ec5efe-ec5f01 109->116 117 ec5f0b-ec5f0f 109->117 116->117 118 ec5f20 117->118 119 ec5f11-ec5f1d 117->119 121 ec5f21 118->121 119->118 121->121
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00EC5E89
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 315d4996fe6de64b941a15ece69294b91bde967e4b480395385a04305f21c890
                                                                            • Instruction ID: 4ee0da7b9c7d21b2f0d539f51ecb107a959601c070b8fd1607e53d44f03ae4b1
                                                                            • Opcode Fuzzy Hash: 315d4996fe6de64b941a15ece69294b91bde967e4b480395385a04305f21c890
                                                                            • Instruction Fuzzy Hash: 08410271C0071DCFEB24CFA9C944B8EBBB5BF49304F20806AD508AB250DB726946CF91
                                                                            Function 00EC5DCC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 122 ec5dcc-ec5e99 CreateActCtxA 124 ec5e9b-ec5ea1 122->124 125 ec5ea2-ec5efc 122->125 124->125 132 ec5efe-ec5f01 125->132 133 ec5f0b-ec5f0f 125->133 132->133 134 ec5f20 133->134 135 ec5f11-ec5f1d 133->135 137 ec5f21 134->137 135->134 137->137
                                                                            APIs
                                                                            • CreateActCtxA.KERNEL32(?), ref: 00EC5E89
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: d7d7888699e5da41e40fd9d04d9e96868daabf5aafd8253845d469f0e059991c
                                                                            • Instruction ID: e0b3f29eb7541461e0693b7b8dab89d6b8e7b06dac54acc8fbc83a96b3135cf0
                                                                            • Opcode Fuzzy Hash: d7d7888699e5da41e40fd9d04d9e96868daabf5aafd8253845d469f0e059991c
                                                                            • Instruction Fuzzy Hash: AB4102B1C00719CFEB24CFA9C844B8DBBB5BF89704F20816AD418AB254DB726946CF51
                                                                            Function 00ECD7A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 138 ecd7a0-ecd7a6 139 ecd7a8-ecd83c DuplicateHandle 138->139 140 ecd83e-ecd844 139->140 141 ecd845-ecd862 139->141 140->141
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD82F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: f1714105d0c99913026eca5bc2dd2f3c62becc5403ee5e9d2020d6195a874876
                                                                            • Instruction ID: b6cd5df9ddd3a2abddd87334b7d643adb36fbe2b7e5785749a06d3933feecbcb
                                                                            • Opcode Fuzzy Hash: f1714105d0c99913026eca5bc2dd2f3c62becc5403ee5e9d2020d6195a874876
                                                                            • Instruction Fuzzy Hash: C621E5B5900248EFDB10CFAAD984ADEBBF4FB48310F14846AE914B7350D375A944CFA5
                                                                            Function 00ECD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 144 ecd7a8-ecd83c DuplicateHandle 145 ecd83e-ecd844 144->145 146 ecd845-ecd862 144->146 145->146
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ECD82F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: e96dc108d8f6cff612986381aa27b9a7804fc0a99832b04ef2b46d7eb7d2ad61
                                                                            • Instruction ID: 999041e6c5c910c2ce79ba8129002add8062417e2c2e3488ef7446ed0188e603
                                                                            • Opcode Fuzzy Hash: e96dc108d8f6cff612986381aa27b9a7804fc0a99832b04ef2b46d7eb7d2ad61
                                                                            • Instruction Fuzzy Hash: DA21E4B5900248DFDB10CFAAD984ADEBBF8FB48310F14801AE918A3350D379A944CFA5
                                                                            Function 00ECB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 149 ecb4b8-ecb4f8 150 ecb4fa-ecb4fd 149->150 151 ecb500-ecb52b GetModuleHandleW 149->151 150->151 152 ecb52d-ecb533 151->152 153 ecb534-ecb548 151->153 152->153
                                                                            APIs
                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00ECB51E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: d6e22fd958feabcaf1d38c81c2fe8cd2a8f481ab2a2798b7c8d9dbf65e1b0200
                                                                            • Instruction ID: ad9557835e6974e3d3233cc580929095ef854f438158b574289558b6ce688333
                                                                            • Opcode Fuzzy Hash: d6e22fd958feabcaf1d38c81c2fe8cd2a8f481ab2a2798b7c8d9dbf65e1b0200
                                                                            • Instruction Fuzzy Hash: 18110FB5C007498FDB10CF9AD545B9EFBF9AB88314F14845AD928B7200D379A545CFA1
                                                                            Function 00E6D4C4 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117329814.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e6d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20f90ada4703cfde08970fd7de15140b41b2a69ccaf63702f6ede203190f3256
                                                                            • Instruction ID: eae66cd85cb376726a3d5b7945bed3856a4ee4e10a36fad4ff1a0b7ccb11dc43
                                                                            • Opcode Fuzzy Hash: 20f90ada4703cfde08970fd7de15140b41b2a69ccaf63702f6ede203190f3256
                                                                            • Instruction Fuzzy Hash: DD214871A48340EFCB01DF14EDC0F26BF61FB88358F60C169D8061B656C336D856CAA1
                                                                            Function 00E7D1D4 Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117366008.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e7d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e3ed8f3559a95f8ad5f9fa6d888becd07de217b5c9d7e7548ba0a55c3895896
                                                                            • Instruction ID: a23a4a2148e3404c3b6a20d075612d77e1159def4341789a90fe6d54b4a7b468
                                                                            • Opcode Fuzzy Hash: 2e3ed8f3559a95f8ad5f9fa6d888becd07de217b5c9d7e7548ba0a55c3895896
                                                                            • Instruction Fuzzy Hash: D321D371608244EFDB05DF54D9C0B25BB75FF84318F24C56DD90D5B262C336D846CA61
                                                                            Function 00E7D01C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117366008.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e7d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9563b90e07e254b564b43c98da24115fe457d610e587c3b101b82f81431a685
                                                                            • Instruction ID: 29207f1cffe8cab1ad22050002c0dede77b9263aac01014cef0ca5425da6701c
                                                                            • Opcode Fuzzy Hash: c9563b90e07e254b564b43c98da24115fe457d610e587c3b101b82f81431a685
                                                                            • Instruction Fuzzy Hash: 2321D075608204EFDB14DF24D980B26BB76EF84318F24D56DD90E5B286C33AD847CA61
                                                                            Function 00E7D005 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117366008.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e7d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5a7a618cabac10987926df0541a4e0112605a27771e441df79ed93351729f4af
                                                                            • Instruction ID: b7d9d9e35392b20447976c4599aa380e042e3bc7fe292312601ab60d8288d94d
                                                                            • Opcode Fuzzy Hash: 5a7a618cabac10987926df0541a4e0112605a27771e441df79ed93351729f4af
                                                                            • Instruction Fuzzy Hash: EA214F755093809FCB12CF24D994715BF72EF46214F29C5EAD8498B6A7C33A980ACB62
                                                                            Function 00E6D4BF Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117329814.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e6d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                            • Instruction ID: 8a408845361f11b3b234a079a2e2bdbb0dc862564c7cf6c3a98eb287fb125369
                                                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                            • Instruction Fuzzy Hash: A211E976944280DFCB15CF10D9C4B16BF71FB94328F24C5A9D8454F656C336D456CB91
                                                                            Function 00E7D1CF Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117366008.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e7d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                            • Instruction ID: 3f2664bbed3fc4e463b69fb59fe2b70ea0e65ca2a0b937faa262aab2ca8e7666
                                                                            • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                            • Instruction Fuzzy Hash: A411AC75508280DFCB01CF50C9C0B15BB71FB84318F24C6A9D8494B266C33AD81ACB61
                                                                            Function 00E6D731 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117329814.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e6d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60d8e0da1e3c5d4c12c93193bf25ba1e08928518a132b5394d8fbaeffd7fa4aa
                                                                            • Instruction ID: 5428c04ac9a7be81448898ccb6b7fe94714bc2cd55febcdfee94c38ae67598b6
                                                                            • Opcode Fuzzy Hash: 60d8e0da1e3c5d4c12c93193bf25ba1e08928518a132b5394d8fbaeffd7fa4aa
                                                                            • Instruction Fuzzy Hash: 5F01FC31948344DAE7104A25DD807A6FF98EF413B4F58D41BED045A242C278A844C6B3
                                                                            Function 00E6D730 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117329814.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_e6d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bd0ef5ab107bae6ad029e908951e13f11c06c64babca917ea7fc18269afe5678
                                                                            • Instruction ID: 1ddd500e5a4171659684a45a3e24f30aa6d6f5bc601ac2b22e867cd17eb84623
                                                                            • Opcode Fuzzy Hash: bd0ef5ab107bae6ad029e908951e13f11c06c64babca917ea7fc18269afe5678
                                                                            • Instruction Fuzzy Hash: 45F0C271509344AAE7108E15DC84B62FFD8EB91778F18C55AED081F282C279A844CBB2

                                                                            Non-executed Functions

                                                                            Function 00ECE094 Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2117479392.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ec0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1d0b61f03e38ffd15df7c2da15539cb44448dbcaa6f01bf8571ff8e5aa6160a
                                                                            • Instruction ID: a456374c9acd8dd576c0abbcb63216b6321d5fde10b15963b3f05f02db36efe8
                                                                            • Opcode Fuzzy Hash: b1d0b61f03e38ffd15df7c2da15539cb44448dbcaa6f01bf8571ff8e5aa6160a
                                                                            • Instruction Fuzzy Hash: 97A16D32E002098FCF19DFA4C940A9EB7B2FF85304B19557EE805BB265DB76D956CB40

                                                                            Execution Graph

                                                                            Execution Coverage:8.2%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:5
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 15499 31a9398 15500 31a93dc SetWindowsHookExW 15499->15500 15502 31a9422 15500->15502 15503 31ae6f8 DuplicateHandle 15504 31ae78e 15503->15504

                                                                            Executed Functions

                                                                            Function 031AE6F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 764 31ae6f0-31ae6f7 765 31ae6f8-31ae78c DuplicateHandle 764->765 766 31ae78e-31ae794 765->766 767 31ae795-31ae7b2 765->767 766->767
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031AE77F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4586256849.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: ed008ae17987e26744c0fac6dcc2f5fcb2d648adf10804996846805987bfeeda
                                                                            • Instruction ID: 6c3f2595d98a0e9c6ac3cb4d7dd4d00207f4a490118bd64075f3f19331171832
                                                                            • Opcode Fuzzy Hash: ed008ae17987e26744c0fac6dcc2f5fcb2d648adf10804996846805987bfeeda
                                                                            • Instruction Fuzzy Hash: FF21E7B5900349DFDB10CF9AD984ADEBBF4EB48310F14801AE915A7350D374A954CFA5
                                                                            Function 031A9390 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 753 31a9390-31a93e2 756 31a93ee-31a9420 SetWindowsHookExW 753->756 757 31a93e4 753->757 758 31a9429-31a944e 756->758 759 31a9422-31a9428 756->759 760 31a93ec 757->760 759->758 760->756
                                                                            APIs
                                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 031A9413
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4586256849.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: 5965eef479420a687ab0bd9b4bb9ae12728a7ff00de435259cf29fd97d71279f
                                                                            • Instruction ID: e02cb8351a8dea3d16901fba66a9146ddc3497af03318ab64c5cc8ff202a2e89
                                                                            • Opcode Fuzzy Hash: 5965eef479420a687ab0bd9b4bb9ae12728a7ff00de435259cf29fd97d71279f
                                                                            • Instruction Fuzzy Hash: 982123B59002499FDB14DFAAC944BEEBBF5EF88310F10842AE419A7250CB74A945CFA1
                                                                            Function 031AE6F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 770 31ae6f8-31ae78c DuplicateHandle 771 31ae78e-31ae794 770->771 772 31ae795-31ae7b2 770->772 771->772
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031AE77F
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4586256849.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: d3466e5b2a7d17dcb7caabcc09088474230d5155bf4330788851d93132f45214
                                                                            • Instruction ID: 19cd21d17fd0090667472d864a585d9ead273322e1d5a569231c2d4bb66b72a2
                                                                            • Opcode Fuzzy Hash: d3466e5b2a7d17dcb7caabcc09088474230d5155bf4330788851d93132f45214
                                                                            • Instruction Fuzzy Hash: 5821E4B5900349DFDB10CFAAD984ADEFBF8EB48310F14801AE918A7350D378A954CFA5
                                                                            Function 031A9398 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 775 31a9398-31a93e2 777 31a93ee-31a9420 SetWindowsHookExW 775->777 778 31a93e4 775->778 779 31a9429-31a944e 777->779 780 31a9422-31a9428 777->780 781 31a93ec 778->781 780->779 781->777
                                                                            APIs
                                                                            • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 031A9413
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4586256849.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_31a0000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID: HookWindows
                                                                            • String ID:
                                                                            • API String ID: 2559412058-0
                                                                            • Opcode ID: de48fb94b4318cab0e2a3c02fff2fa1645fdd1d32dbb69cb459025f2adf81793
                                                                            • Instruction ID: 53db3d3ff2e39041b990555a9a4d8e86cc6ce728014ce31cdcb00e691da3d532
                                                                            • Opcode Fuzzy Hash: de48fb94b4318cab0e2a3c02fff2fa1645fdd1d32dbb69cb459025f2adf81793
                                                                            • Instruction Fuzzy Hash: 152113B5D00249DFDB14CFAAC944BEEFBF5AF88310F14842AE419A7250C774A944CFA1
                                                                            Function 0195D450 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585126876.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_195d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f910e964819031511da070866809b1d52012a4fe9d8a350fec1d694cd2c1a2e7
                                                                            • Instruction ID: 1823d673a35ac8838708e7efdaa18b2c712245cd11d19c0cebcb50cd5fa52936
                                                                            • Opcode Fuzzy Hash: f910e964819031511da070866809b1d52012a4fe9d8a350fec1d694cd2c1a2e7
                                                                            • Instruction Fuzzy Hash: F5212172500200EFDB41DF54D9C0F26BFA5FB88718F208568ED091B28AC336E446CBA2
                                                                            Function 0196D0FC Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585520504.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_196d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 26f8330bafeb062ea64aa8262e220221fd6e22ec821615551f254b58659bec6d
                                                                            • Instruction ID: 2042b46c46319fb179c8179eb4c61ba84dea1bd3fa00fc0a615a492851cdcdff
                                                                            • Opcode Fuzzy Hash: 26f8330bafeb062ea64aa8262e220221fd6e22ec821615551f254b58659bec6d
                                                                            • Instruction Fuzzy Hash: 5421F271604204EFDB09DF64D9C0F26BBA9FB88314F24C96DD95D4B252C3BAD846CA71
                                                                            Function 0196D01C Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585520504.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_196d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e9d8d611c47bb17e837f0e1f7c5a34c59256a41c9b24841b829e4b12cd078b75
                                                                            • Instruction ID: 4725998c40bd6e4e7631c7c12eed4952eb415b4efe696e16251d825ccfbfc0f8
                                                                            • Opcode Fuzzy Hash: e9d8d611c47bb17e837f0e1f7c5a34c59256a41c9b24841b829e4b12cd078b75
                                                                            • Instruction Fuzzy Hash: FB21F271604300EFDB25DF64D5C0F26BBA9EB84359F20C56DD98D4B252C376D846CAB1
                                                                            Function 0196D006 Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585520504.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_196d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa352c40e610bb3a5aad3426360e842cd44159ce4a3e15db052f16173f6d554e
                                                                            • Instruction ID: 8b8cc43999b8b8c34c29ff91664234f56bcfc1af16abc6312d6b912ab1d519bc
                                                                            • Opcode Fuzzy Hash: fa352c40e610bb3a5aad3426360e842cd44159ce4a3e15db052f16173f6d554e
                                                                            • Instruction Fuzzy Hash: 20216275609380DFD713CF24C590715BFB5AB46214F29C5DAD8898F6A3C33A984ACB62
                                                                            Function 0195D44B Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585126876.000000000195D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0195D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_195d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                            • Instruction ID: d79a643e6a4edcde233fec537aae0b01e725a46ef80f96c356405f7509d8fa95
                                                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                                            • Instruction Fuzzy Hash: C111AF76504280DFDB16CF54D5C4B16BFB1FB84318F2485A9DD094B25BC33AD45ACBA2
                                                                            Function 0196D0F7 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.4585520504.000000000196D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0196D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_196d000_CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                            • Instruction ID: a98f92d905fb0d87be73a9cad1176f060ce10f4542538d51808677dfa460bd88
                                                                            • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                                            • Instruction Fuzzy Hash: B511EB75604280DFDB0ACF54C9C0B15BFA5FB84214F28C6AAD8494B252C37AD40ACB62

                                                                            Execution Graph

                                                                            Execution Coverage:6.4%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:3
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 21653 8fa6428 21654 8fa646b SetThreadToken 21653->21654 21655 8fa6499 21654->21655

                                                                            Executed Functions

                                                                            Function 0377B490 Relevance: .3, Instructions: 258COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 386 377b490-377b4b9 388 377b4be-377b7f9 call 377aab4 386->388 389 377b4bb 386->389 450 377b7fe-377b805 388->450 389->388
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 438bc77703810b954f3ba28240c1772acd98c231f4f915c821c0f7bbc00933db
                                                                            • Instruction ID: 1fcc253bd67048a3f9b5f99a7fd597468ca53f4981fa187b0e4e772920f2bace
                                                                            • Opcode Fuzzy Hash: 438bc77703810b954f3ba28240c1772acd98c231f4f915c821c0f7bbc00933db
                                                                            • Instruction Fuzzy Hash: AF918E74F017699BEB19EFB888106AEBBF2EFC5600B40892DD146AB340DF345D068BD5
                                                                            Function 0377B4A0 Relevance: .3, Instructions: 252COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 451 377b4a0-377b4b9 452 377b4be-377b7f9 call 377aab4 451->452 453 377b4bb 451->453 514 377b7fe-377b805 452->514 453->452
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53c0e1a4ddd89f10c187c2b650982f38f0c6b2cf6fc161b8998353b1719f824b
                                                                            • Instruction ID: 878fadb0cd3e11d0550199c09075189a8d35e2c29b238b4e064c75eebee91f2d
                                                                            • Opcode Fuzzy Hash: 53c0e1a4ddd89f10c187c2b650982f38f0c6b2cf6fc161b8998353b1719f824b
                                                                            • Instruction Fuzzy Hash: 09915E74F017699BDB19EFB988106AEBBF6EFC4600B40892DD106AB340DF345D068BD5
                                                                            Function 08FA6420 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 8fa6420-8fa6463 1 8fa646b-8fa6497 SetThreadToken 0->1 2 8fa6499-8fa649f 1->2 3 8fa64a0-8fa64bd 1->3 2->3
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2187449927.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_8fa0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3254676861-0
                                                                            • Opcode ID: 0b73097c6ed9bbf412ab69537882efdee0ab57f3982ff706e4e52ae8946da65f
                                                                            • Instruction ID: 6b9fbe8fb899e87e68aabebd3120248aa18a033e0b1f0ca460e2a2a1248e81b6
                                                                            • Opcode Fuzzy Hash: 0b73097c6ed9bbf412ab69537882efdee0ab57f3982ff706e4e52ae8946da65f
                                                                            • Instruction Fuzzy Hash: B01116B5D00649CFDB10CFA9C584B9EBBF5EF48724F24841AD518A7310C778A944CFA5
                                                                            Function 08FA6428 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 6 8fa6428-8fa6497 SetThreadToken 8 8fa6499-8fa649f 6->8 9 8fa64a0-8fa64bd 6->9 8->9
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2187449927.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_8fa0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3254676861-0
                                                                            • Opcode ID: a58b242e90a6743e9de5f265bb08cd0470eb29b4e326e31182c23af8c5487d87
                                                                            • Instruction ID: 1abda0ae671901c99ed24246a9de53974605479bcbbc70da578f77f29b9c0e0d
                                                                            • Opcode Fuzzy Hash: a58b242e90a6743e9de5f265bb08cd0470eb29b4e326e31182c23af8c5487d87
                                                                            • Instruction Fuzzy Hash: 6911F5B5900649DFDB10DFAAC884B9EFBF8EB48724F248419D518A7350C778A944CFA5
                                                                            Function 037729F0 Relevance: .2, Instructions: 211COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 515 37729f0-3772a1e 516 3772af5-3772b37 515->516 517 3772a24-3772a3a 515->517 521 3772c51-3772c61 516->521 522 3772b3d-3772b56 516->522 518 3772a3f-3772a52 517->518 519 3772a3c 517->519 518->516 526 3772a58-3772a65 518->526 519->518 524 3772b5b-3772b69 522->524 525 3772b58 522->525 524->521 531 3772b6f-3772b79 524->531 525->524 528 3772a67 526->528 529 3772a6a-3772a7c 526->529 528->529 529->516 535 3772a7e-3772a88 529->535 533 3772b87-3772b94 531->533 534 3772b7b-3772b7d 531->534 533->521 536 3772b9a-3772baa 533->536 534->533 537 3772a96-3772aa6 535->537 538 3772a8a-3772a8c 535->538 540 3772baf-3772bbd 536->540 541 3772bac 536->541 537->516 539 3772aa8-3772ab2 537->539 538->537 542 3772ab4-3772ab6 539->542 543 3772ac0-3772af4 539->543 540->521 546 3772bc3-3772bd3 540->546 541->540 542->543 547 3772bd5 546->547 548 3772bd8-3772be5 546->548 547->548 548->521 551 3772be7-3772bf7 548->551 552 3772bfc-3772c08 551->552 553 3772bf9 551->553 552->521 555 3772c0a-3772c24 552->555 553->552 556 3772c26 555->556 557 3772c29 555->557 556->557 558 3772c2e-3772c38 557->558 559 3772c3d-3772c50 558->559
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4998378a82c697826d4f82277663977a806c1b88546e11d25b443a31bb659d45
                                                                            • Instruction ID: f469c6a93c86db57c5e54dfbd693e8f54d06365e0c9234ccf8391baa29337d78
                                                                            • Opcode Fuzzy Hash: 4998378a82c697826d4f82277663977a806c1b88546e11d25b443a31bb659d45
                                                                            • Instruction Fuzzy Hash: CF916C74A00205CFCB15CF59C494AAEFBB5FF88310B2586A9D925AB366C735FC51CBA0
                                                                            Function 07E33CE8 Relevance: .2, Instructions: 172COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 608 7e33ce8-7e33d0d 609 7e33d13-7e33d18 608->609 610 7e33f00-7e33f08 608->610 611 7e33d30-7e33d34 609->611 612 7e33d1a-7e33d20 609->612 615 7e33eb0-7e33eba 611->615 616 7e33d3a-7e33d3c 611->616 613 7e33d22 612->613 614 7e33d24-7e33d2e 612->614 613->611 614->611 618 7e33ec8-7e33ece 615->618 619 7e33ebc-7e33ec5 615->619 620 7e33d3e-7e33d4a 616->620 621 7e33d4c 616->621 622 7e33ed0-7e33ed2 618->622 623 7e33ed4-7e33ee0 618->623 625 7e33d4e-7e33d50 620->625 621->625 626 7e33ee2-7e33efd 622->626 623->626 625->615 628 7e33d56-7e33d75 625->628 633 7e33d77-7e33d83 628->633 634 7e33d85 628->634 635 7e33d87-7e33d89 633->635 634->635 635->615 636 7e33d8f-7e33d96 635->636 636->610 637 7e33d9c-7e33da1 636->637 638 7e33da3-7e33da9 637->638 639 7e33db9-7e33dc8 637->639 640 7e33dab 638->640 641 7e33dad-7e33db7 638->641 639->615 643 7e33dce-7e33dec 639->643 640->639 641->639 643->615 647 7e33df2-7e33e17 643->647 647->615 650 7e33e1d-7e33e24 647->650 651 7e33e26-7e33e41 650->651 652 7e33e6a-7e33e9d 650->652 655 7e33e43-7e33e49 651->655 656 7e33e5b-7e33e5f 651->656 662 7e33ea4-7e33ead 652->662 657 7e33e4b 655->657 658 7e33e4d-7e33e59 655->658 660 7e33e66-7e33e68 656->660 657->656 658->656 660->662
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 254f21f1cfe160e7a9a1f72c1605de0aba4bd38aec86da1313cfe953e15e0358
                                                                            • Instruction ID: 6c30d032d3f40859e2282ff56fe3a2b0fb3ddf972e267cbea140f71aeb8514cb
                                                                            • Opcode Fuzzy Hash: 254f21f1cfe160e7a9a1f72c1605de0aba4bd38aec86da1313cfe953e15e0358
                                                                            • Instruction Fuzzy Hash: 825126F1B013018BDB209B69C815FABB7E3AFC1219F1480AAD905CB345DB31DD85CBA1
                                                                            Function 03777740 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 753 3777740-3777776 756 377777f-3777788 753->756 757 3777778-377777a 753->757 760 3777791-37777af 756->760 761 377778a-377778c 756->761 758 3777829-377782e 757->758 764 37777b5-37777b9 760->764 765 37777b1-37777b3 760->765 761->758 766 37777bb-37777c0 764->766 767 37777c8-37777cf 764->767 765->758 766->767 768 37777d1-37777fa 767->768 769 377782f-3777860 767->769 772 37777fc-3777806 768->772 773 3777808 768->773 779 3777866-37778bd 769->779 780 37778e2-37778e6 769->780 774 377780a-3777816 772->774 773->774 781 377781c-3777823 774->781 782 3777818-377781a 774->782 789 37778bf 779->789 790 37778c9-37778d7 779->790 793 37778e9 call 3777932 780->793 794 37778e9 call 3777940 780->794 781->758 782->758 784 37778ec-37778f1 789->790 790->780 792 37778d9-37778e1 790->792 793->784 794->784
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 00bd2fec5c7e027fc4b641bd419ac4166795c714c8eb469a0eb700a1491ba520
                                                                            • Instruction ID: 7a32642011807b9e0a71c8c94ca3fd8a80d2ab5d4f63d8551f105474ecf1b6bf
                                                                            • Opcode Fuzzy Hash: 00bd2fec5c7e027fc4b641bd419ac4166795c714c8eb469a0eb700a1491ba520
                                                                            • Instruction Fuzzy Hash: DA51DE343042019FDB19DB79D854A7ABBEAFFC9215B1884ADD509CB351EB31DC02CBA0
                                                                            Function 0377BAD0 Relevance: .2, Instructions: 155COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 795 377bad0-377bb60 799 377bb66-377bb71 795->799 800 377bb62 795->800 801 377bb76-377bbd0 call 377afa8 799->801 802 377bb73 799->802 800->799 809 377bbd2-377bbd7 801->809 810 377bc21-377bc25 801->810 802->801 809->810 813 377bbd9-377bbfc 809->813 811 377bc27-377bc31 810->811 812 377bc36 810->812 811->812 814 377bc3b-377bc3d 812->814 817 377bc02-377bc0d 813->817 815 377bc62-377bc65 call 377a790 814->815 816 377bc3f-377bc60 814->816 822 377bc6a-377bc6e 815->822 816->822 819 377bc16-377bc1f 817->819 820 377bc0f-377bc15 817->820 819->814 820->819 823 377bca7-377bcd6 822->823 824 377bc70-377bc99 822->824 824->823
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8adf857771f170f292bc1390ee77e794c1a9352777e8a2a50421c5b2dc67ed69
                                                                            • Instruction ID: 989c0d13f0efa1c863eeeb27274a47bc78e3e92be067d0d79c397d9e3207b730
                                                                            • Opcode Fuzzy Hash: 8adf857771f170f292bc1390ee77e794c1a9352777e8a2a50421c5b2dc67ed69
                                                                            • Instruction Fuzzy Hash: 7B61F571E00248DFDB54DFA9D584ADDFBF1EF88310F18812AE809AB364DB309845CB60
                                                                            Function 07E32700 Relevance: .2, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88a4297c01e2f6d03334d6c9c65f48dc685d790a5aa9fbfad930a2cd53f94787
                                                                            • Instruction ID: 1ba57c72a5197b4a0efb9f4692f19d9996aaf854bec9fe1c66835b105914a580
                                                                            • Opcode Fuzzy Hash: 88a4297c01e2f6d03334d6c9c65f48dc685d790a5aa9fbfad930a2cd53f94787
                                                                            • Instruction Fuzzy Hash: FC51F4B1B01205DFDB149F6884497AAB7E9BF89216F04946ADB49DF240CB31DD81CBA1
                                                                            Function 0377BAC0 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11fb2d6b68379357a205edc7905a72e60940203e8de70ac3c7ac691d60559fae
                                                                            • Instruction ID: 24dbd50fd1835d47163f88dcbcb3b64ded378386c001db97a9166a8dc86ea57a
                                                                            • Opcode Fuzzy Hash: 11fb2d6b68379357a205edc7905a72e60940203e8de70ac3c7ac691d60559fae
                                                                            • Instruction Fuzzy Hash: 2F510475E00248DFDB54DFA9D884A9DFBF1FF89314F18816AE809AB364DB309845CB61
                                                                            Function 07E31990 Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6d0b6484db2464d290a38349de25e28fc1b79e7a3378c06e8767a487bf78daa1
                                                                            • Instruction ID: a7e07871a89df8b018fed93e4f7cc47b4bd96e655903e28f50b7a1c9f4299d4a
                                                                            • Opcode Fuzzy Hash: 6d0b6484db2464d290a38349de25e28fc1b79e7a3378c06e8767a487bf78daa1
                                                                            • Instruction Fuzzy Hash: 114117B1B01609DFD7249FACC8457AAB7E2EF8A216F10907ED61ADB351DA31CC41C7A1
                                                                            Function 07E328E8 Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e2222cad61b8e868124e120f4c7d6f1c0c8d9871e04554ba700e6d22693648a
                                                                            • Instruction ID: e36c3ede34eb608b60add902679ffc579700a34434bdff3c92a2c87fee2a0eb8
                                                                            • Opcode Fuzzy Hash: 5e2222cad61b8e868124e120f4c7d6f1c0c8d9871e04554ba700e6d22693648a
                                                                            • Instruction Fuzzy Hash: 474114B1B01205CFDB20DB6C88497AAB7EABFC9211F1090BAD7898B301DA31CC41C7A1
                                                                            Function 03776FE0 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 469aecd0f1dbbf8fa1cd9a5f27c979ed103e61c7cec31e416e9517f56d6bb873
                                                                            • Instruction ID: 5724b3fe6e73febbe33902553cfb2ef2b355a61043dbcf5c28f38fd238453f50
                                                                            • Opcode Fuzzy Hash: 469aecd0f1dbbf8fa1cd9a5f27c979ed103e61c7cec31e416e9517f56d6bb873
                                                                            • Instruction Fuzzy Hash: 3C413C34B002498FDB19DF64C468AAEBBF5EF8E315F185099E406AB395CB35DC01CB61
                                                                            Function 03772B00 Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e465a6a471c1bce75d63cd28fc8ab429af44f7d17de6553f42f31e457e856423
                                                                            • Instruction ID: d4804a21d465b81c66aa6c79e4f19e27117db880cdd32aa2bc6360f0126d764c
                                                                            • Opcode Fuzzy Hash: e465a6a471c1bce75d63cd28fc8ab429af44f7d17de6553f42f31e457e856423
                                                                            • Instruction Fuzzy Hash: 04414B74A00105CFCB05CF59C1989AAFBB5FF48310B2586A9D915AB765C736FC91CFA0
                                                                            Function 07E33CE6 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f67b0d60325a3ea811f30ed49798e7c7e545fa1c79a28a3a4b9f7c5e49a38b65
                                                                            • Instruction ID: c9e1a5456b9d73ff83b244d4737d34a569604e4e7f65be5b38a62417fe79d978
                                                                            • Opcode Fuzzy Hash: f67b0d60325a3ea811f30ed49798e7c7e545fa1c79a28a3a4b9f7c5e49a38b65
                                                                            • Instruction Fuzzy Hash: 283106F1B02302DBDB308E55C505FBAB7E2AB80618F5481A9E904CF656D735ED84CBA1
                                                                            Function 0377C398 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 62f9d1b35ba2e2748c661e92c0f253b4a21e378adfad607effb4854e2630dac4
                                                                            • Instruction ID: 922dcae1436c99e5c3f620a432e35cc684bdf1fbf0e996af5a447aef32388e25
                                                                            • Opcode Fuzzy Hash: 62f9d1b35ba2e2748c661e92c0f253b4a21e378adfad607effb4854e2630dac4
                                                                            • Instruction Fuzzy Hash: 8431A2353006019FD715EB78E854BAAB7A6EFC9211F04863DE609CB761DF71A806CBA1
                                                                            Function 03776FD1 Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad5ce0535d68c9f72a2b6a1883d10a1fa78fbfbfa276f929049a419e40c1eb6f
                                                                            • Instruction ID: a16d4a8785f50a27f6139a55c2747e5b50946536f2e9394fedd6d6c807cc7455
                                                                            • Opcode Fuzzy Hash: ad5ce0535d68c9f72a2b6a1883d10a1fa78fbfbfa276f929049a419e40c1eb6f
                                                                            • Instruction Fuzzy Hash: F3310A34B002498FCB18DF65C498ABEBBF6EF8E215F1850A8E446AB355DB31DC01CB60
                                                                            Function 0377AE70 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1dd6dba49fc2c9acfb2a360fddfdf422570ce6d1dd29d216c4ff246c1507bca
                                                                            • Instruction ID: 4ead8c4fe514acf40091796cf5adfa759fa58edd07acaa9e755519a8e1ba9ba0
                                                                            • Opcode Fuzzy Hash: e1dd6dba49fc2c9acfb2a360fddfdf422570ce6d1dd29d216c4ff246c1507bca
                                                                            • Instruction Fuzzy Hash: B7314B74E012098FEF54DFA9D494BAEBBF6EF89300F148069E505EB750EA748C428B55
                                                                            Function 0377AE80 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 387875f7ced46c35d381fb60e877bf8f7322723f93a9a17c9bb92430b30e573b
                                                                            • Instruction ID: 14e513270f2b23085575af4dae9b9e9dfb41f6194f73910ba94f20c3b8596d98
                                                                            • Opcode Fuzzy Hash: 387875f7ced46c35d381fb60e877bf8f7322723f93a9a17c9bb92430b30e573b
                                                                            • Instruction Fuzzy Hash: 8E313E74E01209DFEF54DF69D4957AEBBF6EF89300F148069E505EB350EA748C028B65
                                                                            Function 0377AD38 Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1cd6d02bb40a609f135593d12e2a4c1a2a6999f2f39f40307ebca0823076c5fe
                                                                            • Instruction ID: a86ae6469919d070872ccbeff9737aa525e290a5d7cded03a93b3004edf9ea97
                                                                            • Opcode Fuzzy Hash: 1cd6d02bb40a609f135593d12e2a4c1a2a6999f2f39f40307ebca0823076c5fe
                                                                            • Instruction Fuzzy Hash: 473152B8A002459FDB44EB74D854AEEBBB6EF85300F21846DC115AF395CB799D01CF60
                                                                            Function 0377AFA8 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28ea22e659e59ded363d7c6cdfa1552d9b92555e30851f7679d6dbecdf9785cb
                                                                            • Instruction ID: b8f041be365a5059e0ca2a8225b4bae23317916afd441e6f9a3612f2c1ca1c42
                                                                            • Opcode Fuzzy Hash: 28ea22e659e59ded363d7c6cdfa1552d9b92555e30851f7679d6dbecdf9785cb
                                                                            • Instruction Fuzzy Hash: 9021ED75A043488FDB14DFAED450BAFBFF5EF89220F24846ED008A7340CA74A905CBA5
                                                                            Function 07E326EF Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d41e53949690aee2a282e8c06a9e175ed1cbc61ce1d1c8a2d8bf07d175731f4
                                                                            • Instruction ID: 2ae068fc6c8e06fbe36d5cbf3536a9ad434ebc21614ebda28e087f7cb26d46c5
                                                                            • Opcode Fuzzy Hash: 0d41e53949690aee2a282e8c06a9e175ed1cbc61ce1d1c8a2d8bf07d175731f4
                                                                            • Instruction Fuzzy Hash: CE31C1B1A12316DFDB10CF68C449BA5B7F9BF05316F04A0A6EB898B250C334D984CBA1
                                                                            Function 0377AD48 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c9038324ee628309cce55aa21c1dd6b17e13542982e9640097b091fbb1d3ce0
                                                                            • Instruction ID: f9668104243baf30ba30e32ad6a2131ae70177d07bfb6539e8d94404600d8fae
                                                                            • Opcode Fuzzy Hash: 5c9038324ee628309cce55aa21c1dd6b17e13542982e9640097b091fbb1d3ce0
                                                                            • Instruction Fuzzy Hash: 5D3110B8E002099FDB44EFA4D954AEEB7B6EF84300F20846DD615AF394DB759D018FA4
                                                                            Function 0366F3D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6fecddee563a847d63660649480390ac233ce839622fe0243f6336211d4b16f2
                                                                            • Instruction ID: 860fae9d3a304b1246c5a630a7d4019c4fd04b2bc6432cffa608d95c92ad9d6e
                                                                            • Opcode Fuzzy Hash: 6fecddee563a847d63660649480390ac233ce839622fe0243f6336211d4b16f2
                                                                            • Instruction Fuzzy Hash: 3821D172608200EFCB05DF14EAC0B26BB65FB88314F24C5A9E9094E757C736D456CBA1
                                                                            Function 037793F8 Relevance: .1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a356a79b0571d72f5756e826d653d6bde52f32c4a6a4cce5c77a6f746947ef27
                                                                            • Instruction ID: 08ef0266f3ea3d739d9573eabf17c39fcc93ac453058ac2afc7d574bbe3ea1b7
                                                                            • Opcode Fuzzy Hash: a356a79b0571d72f5756e826d653d6bde52f32c4a6a4cce5c77a6f746947ef27
                                                                            • Instruction Fuzzy Hash: C93189B49067448EEB60CF2AD08879AFFF2EF89320F28C46ED54D9B245D7749485CB61
                                                                            Function 0366F02C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 14a58ac1a4098ae460f6bdd707693c89e38ea8ab852b72161193c65bee4fec57
                                                                            • Instruction ID: bf2c4fab80dcebd70dfe7504fc7c411fe17f830adaf1228e17b513a41d308159
                                                                            • Opcode Fuzzy Hash: 14a58ac1a4098ae460f6bdd707693c89e38ea8ab852b72161193c65bee4fec57
                                                                            • Instruction Fuzzy Hash: 5B213471604640EFCB10DF24EAD0B26BBA5FB88314F24C5ADD9094F346C37AD846CB61
                                                                            Function 0366F4CC Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f8a7e97cf8f54d95bc7a6ce3817ad79bb64673b44d3188375303591171f14a26
                                                                            • Instruction ID: 868a8138038c25b4a955f8071047b62eca710820f0cd797850228af28b642903
                                                                            • Opcode Fuzzy Hash: f8a7e97cf8f54d95bc7a6ce3817ad79bb64673b44d3188375303591171f14a26
                                                                            • Instruction Fuzzy Hash: 3D2105B1604340DFDB14DF24E6D0B26BBA9FB94358F24C5ADD9094F342C73AD846CA61
                                                                            Function 03779408 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a9b2dcc4f4fd6cc1c95731ce0cda265b18a0fa136c0e49bae71bb108f6f6118f
                                                                            • Instruction ID: 4a6bafba3ba56f3e60eee704aa32def9ed26daec2cab7a8b2101549412f470f7
                                                                            • Opcode Fuzzy Hash: a9b2dcc4f4fd6cc1c95731ce0cda265b18a0fa136c0e49bae71bb108f6f6118f
                                                                            • Instruction Fuzzy Hash: 71219A749027448FEB60CF6AC08878AFBF6EB89320F28C45EDA1D97245D7746481CB61
                                                                            Function 07E3197D Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fe435a06d6068dcf85f1bb75e3ee22f3e0c69a6e4bd5dcff2899b862a4644567
                                                                            • Instruction ID: 10ccac865fbe637601494cb432c7c6e6be7bc3439e449e4aa6ff594e3c149e9d
                                                                            • Opcode Fuzzy Hash: fe435a06d6068dcf85f1bb75e3ee22f3e0c69a6e4bd5dcff2899b862a4644567
                                                                            • Instruction Fuzzy Hash: F521A5F1A1174ADFCB10CF59C449BAAB7F1FF45216F0491AED51987211D730D981CB91
                                                                            Function 07E328D3 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c0181971dffac83d59d15d27644d1d7744f0df469e749308ac40538337569ef
                                                                            • Instruction ID: f0f49e147db7d7143479c9899513f3c86926812abf926d15c916b5acb0785a1f
                                                                            • Opcode Fuzzy Hash: 2c0181971dffac83d59d15d27644d1d7744f0df469e749308ac40538337569ef
                                                                            • Instruction Fuzzy Hash: 2D21D5B1A12346DFCB20CF6DC4487A6B7F9BF45224F0490A6D7988B211D731D881CBA1
                                                                            Function 0377767C Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 307f6f36e7debfcb38a9f1bc9ef72f7b95d6060acb517e93af498b8cd5a9702c
                                                                            • Instruction ID: d277e973d4090b81ee85a95f8144eacd25346846eb61edab0f40a08c6023bb8d
                                                                            • Opcode Fuzzy Hash: 307f6f36e7debfcb38a9f1bc9ef72f7b95d6060acb517e93af498b8cd5a9702c
                                                                            • Instruction Fuzzy Hash: 71112B397002188FCF14DBA8D850AEDB7F6FBC8261B1440A8E509DB355DB35DC05CB90
                                                                            Function 0366F3D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction ID: c70b7f58e5d49cae3debb8a34c8ce93b74d421ace083cf2390e65fdee4e18132
                                                                            • Opcode Fuzzy Hash: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction Fuzzy Hash: CA214A76504240DFCB06CF54DAC4B16BF72FB88214F28C5A9D9494E657C33AD46ACBA1
                                                                            Function 0377E298 Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d35026ad95e4803efdc440714b0bd9c70c09111a7d521071f6cc617631c4947d
                                                                            • Instruction ID: 482d105798655c8417557bf06c7e6e27b7a2a111070d29984aca38b6697dcf20
                                                                            • Opcode Fuzzy Hash: d35026ad95e4803efdc440714b0bd9c70c09111a7d521071f6cc617631c4947d
                                                                            • Instruction Fuzzy Hash: 8F116775805389CFDB21CFAAC5447DABFF4AF49320F2880AED448AB651D339A548CB65
                                                                            Function 0366F027 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction ID: fe028caab7d96d221bf30d78c0acb4ee73c6e82d371e8eeba6ddfca77f3044cd
                                                                            • Opcode Fuzzy Hash: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction Fuzzy Hash: 0711BB75504680DFCB11CF14E6D0B15FFA1FB84224F28C6AAD8094F756C33AD44ACBA2
                                                                            Function 0377E2A8 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 159b1873ad8e142474fd79603cca721309276f2f1f29958edd57933b4015dcfd
                                                                            • Instruction ID: 1ed92c7d48edd39fa50e6e96043aae6f892bdc74bcfec2397ea433b23196b034
                                                                            • Opcode Fuzzy Hash: 159b1873ad8e142474fd79603cca721309276f2f1f29958edd57933b4015dcfd
                                                                            • Instruction Fuzzy Hash: E01166B1800749CFEB10CF9AC544B9EFBF8EF48310F2880A9D548A7641D339A544CBA5
                                                                            Function 0366F4C7 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction ID: 5ed77519bd40f1f1796d1824ed9976251e2ec08b388c3f7b9885d61c65eb3893
                                                                            • Opcode Fuzzy Hash: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction Fuzzy Hash: F211BCB5504280CFCB15DF14E6D4B25BBA1FB44314F28C6ADC8494B752C33AD84ACB92
                                                                            Function 0377BCF0 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2260dbb0267ff0580b518557b88e596ed8d6418bebb0490a3af1b649bcd5bb93
                                                                            • Instruction ID: 5cf87318ecedc32266df409cf314c4ce173af83c641f35ed801e5525a8d5f14e
                                                                            • Opcode Fuzzy Hash: 2260dbb0267ff0580b518557b88e596ed8d6418bebb0490a3af1b649bcd5bb93
                                                                            • Instruction Fuzzy Hash: D201B5316087849FDB14DB75D494AA97FF4EF4A310F1888EEE089CB6A2DA74E845C701
                                                                            Function 0377E738 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 93e66ce15ceead9d6885652729518d31b8343acad986cbc691e7e6ee3c9cdfc3
                                                                            • Instruction ID: 1584a994bf612520aef373b02e90bab2964d26190c7ed617c3e5a4a8a0177471
                                                                            • Opcode Fuzzy Hash: 93e66ce15ceead9d6885652729518d31b8343acad986cbc691e7e6ee3c9cdfc3
                                                                            • Instruction Fuzzy Hash: 06110935204754CFC728DF79D05089AB7F6EF8921572489ADD48A8BBA0CB32F845CB50
                                                                            Function 0377DEA0 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 709b8999a703e996700bd6a2488674fd924ccd8bcf3bbb116172a1e5d03ab99b
                                                                            • Instruction ID: ddec8986cd33e379ce4ac4acaf25644ec43ad2f9fdee9dfbffe5715f65994513
                                                                            • Opcode Fuzzy Hash: 709b8999a703e996700bd6a2488674fd924ccd8bcf3bbb116172a1e5d03ab99b
                                                                            • Instruction Fuzzy Hash: 81014C35B002149FCB219F74EC08AAEBBF5FB89215B14407DE91AD3642DB329912DB91
                                                                            Function 0366D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0f85b374a97670c40ae820ebdcc15479b02f850bb202c1b9fb43be0d7f1d790b
                                                                            • Instruction ID: dc7d216c5ab5a06d04e979f2570d9b9a0e7fefc7a3d1bdb9317047e95bc203fb
                                                                            • Opcode Fuzzy Hash: 0f85b374a97670c40ae820ebdcc15479b02f850bb202c1b9fb43be0d7f1d790b
                                                                            • Instruction Fuzzy Hash: A3012B31204740EAE710CF26CD80B67FF9CEF813A0F1CC05AED080B246C2789846C6B1
                                                                            Function 0366D006 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e7f3c59f7e0882cff916792081a173431466a9b421e2165087dc43a867fc9b90
                                                                            • Instruction ID: 7779b9e5ac51287a913ce4ccb8709de79e2bf5e790a7fdde644b48714d681842
                                                                            • Opcode Fuzzy Hash: e7f3c59f7e0882cff916792081a173431466a9b421e2165087dc43a867fc9b90
                                                                            • Instruction Fuzzy Hash: EA01566110E7C0AED7128B25C994752BFB4DF53224F1D80CBDD848F297C2695849C772
                                                                            Function 0377BF20 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c2447dddd1f5f607e6bdc807ca8a52fe7bcdb0d11f1e3b515433ca597211540
                                                                            • Instruction ID: 08378212a91dd2342e7eeb4430542adb9866063e5ce8691cb6fd56f8cde32fb5
                                                                            • Opcode Fuzzy Hash: 5c2447dddd1f5f607e6bdc807ca8a52fe7bcdb0d11f1e3b515433ca597211540
                                                                            • Instruction Fuzzy Hash: A0F0A43531A3905FD7018A799C549B77FF9AB9A62071945ABF484C7262C9B4CC048760
                                                                            Function 03777958 Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1762f4211796a48b9a285b0f497f8de549729201bacd743e713650fc005c7ddc
                                                                            • Instruction ID: 0eae2aac5b54f1b2a0f44e72c7f4de0d2bfc52adbd9717a8b8a3462b070a200e
                                                                            • Opcode Fuzzy Hash: 1762f4211796a48b9a285b0f497f8de549729201bacd743e713650fc005c7ddc
                                                                            • Instruction Fuzzy Hash: 08F046352067409FC701876AE84496F7FF9EF8B121B00066EE14DCB752CE306C0687B1
                                                                            Function 0366D9A7 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2201c439caa32d32d8c85f906ffbfa0d370369e563832da3a046b6186419067a
                                                                            • Instruction ID: e8d4c95c879439e8b5b2055f033ed56ef0f88340b0430b6fb012aad488c1ebb8
                                                                            • Opcode Fuzzy Hash: 2201c439caa32d32d8c85f906ffbfa0d370369e563832da3a046b6186419067a
                                                                            • Instruction Fuzzy Hash: D9F0F976600654AFD720CF0AD985C23FBADEFD4670719C55AE84A8B711C671FC42CAA0
                                                                            Function 037790E0 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a983184ba93e59a413d0f5921a37eb9ce5e785802a5698aabf95b5c871ec2ec5
                                                                            • Instruction ID: 51a46507653582f056dbfcb26eefb330ffa8b32a9289884c04bb956104b4f5f5
                                                                            • Opcode Fuzzy Hash: a983184ba93e59a413d0f5921a37eb9ce5e785802a5698aabf95b5c871ec2ec5
                                                                            • Instruction Fuzzy Hash: 74F0C2357092404FD705EB24C0583AB7B61DBC6325F15819EC4568F395CE391846CBA1
                                                                            Function 0366D998 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171263604.000000000366D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0366D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_366d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e420132aefd43efcd33d7e9635bde158146f4a5ee3fd908e5ba07aa8d332ad8f
                                                                            • Instruction ID: b870c1fd306b4e3df451d1e26ef3f57d7f1ac9f2af8d9276686edaf0d36c76b3
                                                                            • Opcode Fuzzy Hash: e420132aefd43efcd33d7e9635bde158146f4a5ee3fd908e5ba07aa8d332ad8f
                                                                            • Instruction Fuzzy Hash: 03F0F976100A80AFD725CF06C985D23BBB9EB85660B198589E84A8B352C631FC42CB60
                                                                            Function 03777968 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3f39ae6cb167b51db5e8660c3735d99be30cb15ca1b61ba7f6e2bf3fea6dd7ab
                                                                            • Instruction ID: fd46ddbbb45e4f266665c6e25236e6bb0ce789222e90c326cc95d242074d4166
                                                                            • Opcode Fuzzy Hash: 3f39ae6cb167b51db5e8660c3735d99be30cb15ca1b61ba7f6e2bf3fea6dd7ab
                                                                            • Instruction Fuzzy Hash: AAF08C367006149FDB149A6AE844A6FB7E9EB8A661B00092DE20EC7351DE30AC0287A4
                                                                            Function 0377DE40 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ded902d718ed0dcec99c7ce76c8425ce57e292774e63adf37afd742aeef7e50f
                                                                            • Instruction ID: 26314d8cfd54be0cd5b39644b8bc603cdf6ac0a6aa67d3092311d9c34043a152
                                                                            • Opcode Fuzzy Hash: ded902d718ed0dcec99c7ce76c8425ce57e292774e63adf37afd742aeef7e50f
                                                                            • Instruction Fuzzy Hash: AEF058397142408FC7118F2CD494866BBF6EFDA21532D20AAE584CB732DAA1DC02CB50
                                                                            Function 03779160 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84f0647c4f304737190bc53a44cba0e7b8404df997d554390491658e3023f00d
                                                                            • Instruction ID: 2d654641738ab1bf16043ef4ec4c172aa40a0a657e8c4f9904694d7a0f015656
                                                                            • Opcode Fuzzy Hash: 84f0647c4f304737190bc53a44cba0e7b8404df997d554390491658e3023f00d
                                                                            • Instruction Fuzzy Hash: 86F05E70A0A3404FDB61DB78E8DC39A7FF0EB06210F1444AEE55ACB292CB786885C750
                                                                            Function 037790F0 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3461528e5b9c316d961d8a3e478c09281dabcf37067fcd62887d2b92e68dfbf1
                                                                            • Instruction ID: fb0b6c5c464494c21cf9f5d90f709c294a216f6104efb7cac1b27e094b10e985
                                                                            • Opcode Fuzzy Hash: 3461528e5b9c316d961d8a3e478c09281dabcf37067fcd62887d2b92e68dfbf1
                                                                            • Instruction Fuzzy Hash: 54F027397042045BE704EB75C0083ABB796DBC1365F10812EC50A4B388CE3D6C06CBE1
                                                                            Function 03777697 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56e3cb0f75cd75608a4b36cbef6c0a458e8b7ede622052a74c6fe75fb4eac9e3
                                                                            • Instruction ID: 52fad699388e496aa09e3d059f36ea1e52679667fd5d37e1094e326c43d60206
                                                                            • Opcode Fuzzy Hash: 56e3cb0f75cd75608a4b36cbef6c0a458e8b7ede622052a74c6fe75fb4eac9e3
                                                                            • Instruction Fuzzy Hash: DEF0A0393002148FCB24DB6CD840AAABBF6FBC9255719419CE60ACB314DE34DC028B90
                                                                            Function 0377DC90 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 837cedcd3194918d663850b053f820bec026cfd218f6bd1b08660162e2ab5f2e
                                                                            • Instruction ID: a97d4cdc161cdddf74780ba13ae82adfc6eb1dcf42392b7b5cbfb30072b0f50e
                                                                            • Opcode Fuzzy Hash: 837cedcd3194918d663850b053f820bec026cfd218f6bd1b08660162e2ab5f2e
                                                                            • Instruction Fuzzy Hash: E1F06C35605BD05FC723D72DB81089F7FE99EC716131541DED045CB256CAA5880687E6
                                                                            Function 0377DE50 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 89c6184b0867390cf97947bfd7d34fce04442a693b13630378e11adccab87c80
                                                                            • Instruction ID: ec41febe40e4e6e5bf72121cd12aa499f06f2e66a5ff4dc20018de4a630c1297
                                                                            • Opcode Fuzzy Hash: 89c6184b0867390cf97947bfd7d34fce04442a693b13630378e11adccab87c80
                                                                            • Instruction Fuzzy Hash: 8DE0E5357101108F8610DB1DD498D2AB7EAEFDE66571910A9E949CB321DA61EC028B90
                                                                            Function 0377DCE1 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3a4944831a1c765908b4b51d734645ba9226ae0ad47c286a6d4e5c17caae2b56
                                                                            • Instruction ID: 059c3dd9278d9c233c05b3b503f539f9a1ca1d39b0d83bd0556b5db0b7a1a2b9
                                                                            • Opcode Fuzzy Hash: 3a4944831a1c765908b4b51d734645ba9226ae0ad47c286a6d4e5c17caae2b56
                                                                            • Instruction Fuzzy Hash: 00E02231B14090AB8B09C36DE4404FAFFB99FCE320F14857EE806A7250CAB158169BE0
                                                                            Function 03779549 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c796dd3520572382206a3274b2cadf10679321be060908b5fd8027becda5d411
                                                                            • Instruction ID: c15b010692fd0ec6a46eb443633b97a11ac02567d127bfb0c02db02a9d00b608
                                                                            • Opcode Fuzzy Hash: c796dd3520572382206a3274b2cadf10679321be060908b5fd8027becda5d411
                                                                            • Instruction Fuzzy Hash: D9E0D8167022601B9E51E278440867A59CACEC68B972903B78611CF6C0DD60CC0143A2
                                                                            Function 03779170 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b73841e773b75e67397314609e36c74154217f31d2d567a3bbfa916595bff794
                                                                            • Instruction ID: 00cdf49957d632cbe40d910595b5ed50cb7377d48cb98ff4557c791976b0f265
                                                                            • Opcode Fuzzy Hash: b73841e773b75e67397314609e36c74154217f31d2d567a3bbfa916595bff794
                                                                            • Instruction Fuzzy Hash: 2CF06D709013044BD760DBB9E89C79ABBE9EB45310F00442DE60EC7340DB396881CB90
                                                                            Function 0377AF98 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ebfa0cda34cd71b350d59badc766d9d2b805b7b0de0a3d02c4596572570d5c65
                                                                            • Instruction ID: 7d4540f1b0c68b7ba4fd8ffbbd29e0307cb14d047a6ca9482f38f704e72c65db
                                                                            • Opcode Fuzzy Hash: ebfa0cda34cd71b350d59badc766d9d2b805b7b0de0a3d02c4596572570d5c65
                                                                            • Instruction Fuzzy Hash: C6E08C1A30E3951F6B56A17E682086A3FAA8ACB42030E84BAE548CB202CC528C0643A1
                                                                            Function 03778973 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfee2aa888aceae3516cd434b79abe9a277219e16279a84f7259db52e609bb82
                                                                            • Instruction ID: 0596d573e4991198cc7d1829e211193348430934a67d4e8fe881a48d482dc89b
                                                                            • Opcode Fuzzy Hash: dfee2aa888aceae3516cd434b79abe9a277219e16279a84f7259db52e609bb82
                                                                            • Instruction Fuzzy Hash: E3E0D83970065197DF0A6734A94C3AE7652EBC5726F00001FF51687341CF750902C7D5
                                                                            Function 03778978 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 92e3f79f7d712b9de38e9d7599c4cb72b7e4da21fd0b323515f2aa4cd27ad33d
                                                                            • Instruction ID: d95f897d07d0a8ed80aae4d7fe38bd4a42f3f491304beb6bd6527ccecbe20cde
                                                                            • Opcode Fuzzy Hash: 92e3f79f7d712b9de38e9d7599c4cb72b7e4da21fd0b323515f2aa4cd27ad33d
                                                                            • Instruction Fuzzy Hash: E0E0263930471097CF0A7775A80C3AE7A56EBC572AF00002EE60687381CFB8490283E9
                                                                            Function 03779558 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fadba222003c716831afde963f24b1b4782c8ba478dc21a6ba17d3c6bce16c9b
                                                                            • Instruction ID: 7fece954d1bead28c7ad3a2ef5686436150a1d3d0551f297a5e9884e6f912b33
                                                                            • Opcode Fuzzy Hash: fadba222003c716831afde963f24b1b4782c8ba478dc21a6ba17d3c6bce16c9b
                                                                            • Instruction Fuzzy Hash: 08D05E177022252B4D54B0AA98097BBA5CECAC64E172901B6DB05DB281ED40CC0103F2
                                                                            Function 0377DCF0 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction ID: b601a9a2011e1adeb543444a4e7995f42166c89f8df44bff94ba7cfde9c73dce
                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction Fuzzy Hash: F1E08C32B10018A78B18D6A9D8504E9FBAADFCC220F14847ED90AA7340DAB2691686E1
                                                                            Function 0377DCA0 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e690739ab1a625074469751e909e3e0d4823c6025cca7fe513a4e3b15e31a379
                                                                            • Instruction ID: ad5f506a8608a76d86d944e430a2f511f5ff2fe54407b946b8f7fd1a4cd0d096
                                                                            • Opcode Fuzzy Hash: e690739ab1a625074469751e909e3e0d4823c6025cca7fe513a4e3b15e31a379
                                                                            • Instruction Fuzzy Hash: 6DE08C35700A14478621A62EB81089F76EEDFC5661354406EE01987304DEA4DC0647E5
                                                                            Function 03778739 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                                                            • Instruction ID: 07727a18199a2e7d38d864318dd002f94d3cca371e9b6027b6001e3c77a333df
                                                                            • Opcode Fuzzy Hash: 8cf6571ea56f481fe72d0b39f5827fa5d54be478b676d4671c0e07545d171875
                                                                            • Instruction Fuzzy Hash: E3E04F31E050458FCF09FBA4EC5A5EE7F70EA15302B40019DE85762852DA710547CB81
                                                                            Function 0377F860 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 47a6cfd37e1a1515f0d2ce7ef39306198c0b68587883ab42f533e84de17f14e9
                                                                            • Instruction ID: 827c9c1957d206971ee817e61aa77bc4df5065ab6779e5a3782a8118b2c65c0a
                                                                            • Opcode Fuzzy Hash: 47a6cfd37e1a1515f0d2ce7ef39306198c0b68587883ab42f533e84de17f14e9
                                                                            • Instruction Fuzzy Hash: 34E01A74D0160AAF8780DFA898415A9FFF0AB09200F1085AAD919E7311F23286129B81
                                                                            Function 03778800 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04bdda6df91f9ede1f1c420c5c1c645db7fd7372b6deb2a5f653a2096b568142
                                                                            • Instruction ID: 118a86b84f220e34a20a48821106c175d2ad8c5c94c5ed84b66366d4b155936e
                                                                            • Opcode Fuzzy Hash: 04bdda6df91f9ede1f1c420c5c1c645db7fd7372b6deb2a5f653a2096b568142
                                                                            • Instruction Fuzzy Hash: 60E02630D042068FCB08EFB8D50546ABFF1EB59209B0442AEE9048B741D2300842CF81
                                                                            Function 0377F870 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction ID: 3127fc54187984aaf96919405670bb7863e3539da0db4eb66a20ebd322051b5c
                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction Fuzzy Hash: 2AD06270D042099F8780EFADC94156DFBF4EB48200F5085AAC919E7301E7315612DBD1
                                                                            Function 03778748 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                                                            • Instruction ID: f59e1c11aeb0fe27a1ea94fd18c4d67a35ebb34b76fd1254fea47b61e6f91dda
                                                                            • Opcode Fuzzy Hash: 1ee75946c9fac41ab17e3b7c66cf7246ef3ef576fd4a2d1fac3ca7f8837de53a
                                                                            • Instruction Fuzzy Hash: A6D067318041099BCB18EBE4EC5A5BDBB74FA14302F40416DE91762592EA315A5BCAC5
                                                                            Function 03778810 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 34cfbc79e35800ec9de4f9a68c73f45433f57b68236e337f8e5e8ede0d2aa0c2
                                                                            • Instruction ID: 797549350b93961eb839dfbd0964cd73b22a7b4ba6e378a3c6a53f9e1c347369
                                                                            • Opcode Fuzzy Hash: 34cfbc79e35800ec9de4f9a68c73f45433f57b68236e337f8e5e8ede0d2aa0c2
                                                                            • Instruction Fuzzy Hash: 31D05E30E0820A9FCB5CEFA4E84A96EBBB5EB44301F004169EE0993780EA305D02CFC1
                                                                            Function 03777932 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 173201c3a7ca77f4a4684fe4e6468ab7949ea8b76c43b60f2933a75f81376a45
                                                                            • Instruction ID: a60f7ee31c2b962f5fda529044d19aa44faad6d7af1ee8c8f1eae1ce30614c66
                                                                            • Opcode Fuzzy Hash: 173201c3a7ca77f4a4684fe4e6468ab7949ea8b76c43b60f2933a75f81376a45
                                                                            • Instruction Fuzzy Hash: F8D0C93454EBC49FC7278F7994948183F355E0312475918EED8CA8F5B3C9B68489CF06
                                                                            Function 03777EA0 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfe9f673824156fa90c041f95fa9d435ecb542e78b4332769857853d5131e4d8
                                                                            • Instruction ID: a8c4b067f9c170a65072f0e4e5bfa7154224436d1992d83d2ecc14179a7f7550
                                                                            • Opcode Fuzzy Hash: cfe9f673824156fa90c041f95fa9d435ecb542e78b4332769857853d5131e4d8
                                                                            • Instruction Fuzzy Hash: FFC04C2551E7D04FDF0B97754C6A5176F33098310574A55EFC182DA853C975444AC752
                                                                            Function 03777940 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c7f7ecf08f7e63b0a2527f31f3521cda302fe157086f1645a4f842813c8ad96
                                                                            • Instruction ID: ab7fa5d223d665547dcfd58857cf91374821f19b81a445e4a3f297e4b8175c67
                                                                            • Opcode Fuzzy Hash: 1c7f7ecf08f7e63b0a2527f31f3521cda302fe157086f1645a4f842813c8ad96
                                                                            • Instruction Fuzzy Hash: B0B092341857488FC298AF76A804814732DAB4221538018A8E90E0A2A38E76E885CA44

                                                                            Non-executed Functions

                                                                            Function 07E32308 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2180333554.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_7e30000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k$pi_k$pi_k$pi_k
                                                                            • API String ID: 0-1066377241
                                                                            • Opcode ID: 2dd1dc89398222d4dbffca429b8ad7ec675deb4ec7960b2f8f7c9d107cd1c00c
                                                                            • Instruction ID: 7b4d6afa27e820b168d94a09ac0bfcd8ee7bdb6aadaba905933c7300cef9e43f
                                                                            • Opcode Fuzzy Hash: 2dd1dc89398222d4dbffca429b8ad7ec675deb4ec7960b2f8f7c9d107cd1c00c
                                                                            • Instruction Fuzzy Hash: 01411871B0120ADFEB249F69C4086AEB7F9FF89311F148476D699CB240DB35C941CBA1
                                                                            Function 0377200D Relevance: 5.0, Strings: 4, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.2171529442.0000000003770000.00000040.00000800.00020000.00000000.sdmp, Offset: 03770000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_3770000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q$q$q$q
                                                                            • API String ID: 0-594874556
                                                                            • Opcode ID: 7dd1ce48201d305eb4ebcd9cddad3462bebaac4e78ef7ed8c57ffc10ebeb6cee
                                                                            • Instruction ID: ed97d021c4b437c18f11a0ee8c02f5b49710bfcb438756894ed69ff77e299b8c
                                                                            • Opcode Fuzzy Hash: 7dd1ce48201d305eb4ebcd9cddad3462bebaac4e78ef7ed8c57ffc10ebeb6cee
                                                                            • Instruction Fuzzy Hash: 88F08C6190E3D69FE3135779A83A1E53FA04E23224F4500EBCCA48B5D3E54D0569C39A

                                                                            Executed Functions

                                                                            Function 04DEB470 Relevance: .3, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 176c0d631d0e3434e64177073e41c5cca4173dc5a31701cb52bfc6fd01f04d0a
                                                                            • Instruction ID: 9593e8316ea715a8d653ccb88675d9938c20cba401be232cfc0669648f538efd
                                                                            • Opcode Fuzzy Hash: 176c0d631d0e3434e64177073e41c5cca4173dc5a31701cb52bfc6fd01f04d0a
                                                                            • Instruction Fuzzy Hash: 63918070F016969BEB19EFB588106AEBBF3EFC4600B408A1DD516AB350DF34AD058BD5
                                                                            Function 04DEB490 Relevance: .3, Instructions: 252COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 12f1e7fecbeb5e60309502b2ea923373719d722a391eea6a2d11bac9933df734
                                                                            • Instruction ID: 0d71707e1bbfcd9c2634f647c9c8e24e203df698c3cff17cc074c3022ce9dbef
                                                                            • Opcode Fuzzy Hash: 12f1e7fecbeb5e60309502b2ea923373719d722a391eea6a2d11bac9933df734
                                                                            • Instruction Fuzzy Hash: 5E917F70F016969BEB19EFB589106AEB7F3EFC4600B408A1DD516AB340DF34AE058BD5
                                                                            Function 07AC2308 Relevance: 8.1, Strings: 6, Instructions: 634COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2223636402.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ac0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k$pi_k$pi_k$pi_k$pi_k$|,ak
                                                                            • API String ID: 0-1153659919
                                                                            • Opcode ID: 34e9496b284e4649ddf56b62f03eafbed8cad881c1d12f72afe26e6df1f9767c
                                                                            • Instruction ID: 0da069022b247ce66ffb52b5499ea5d7a0df4c5fe96090a3bb68c677f392ffc9
                                                                            • Opcode Fuzzy Hash: 34e9496b284e4649ddf56b62f03eafbed8cad881c1d12f72afe26e6df1f9767c
                                                                            • Instruction Fuzzy Hash: 9E22E4B1B00209EFDB24DF6884517AABBF5FFC6211F0480BED525DB291DA35D941CBA2
                                                                            Function 07AC3CE8 Relevance: .6, Instructions: 586COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2223636402.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ac0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bcd108434d33a494280afa66676b8be824fcc97312a4d2e3db0ebdbae45e87e
                                                                            • Instruction ID: 9f5a96f7f33d8b1aba33cdd6a7d846b798d8852387931f24c92c004de8f2daa2
                                                                            • Opcode Fuzzy Hash: 0bcd108434d33a494280afa66676b8be824fcc97312a4d2e3db0ebdbae45e87e
                                                                            • Instruction Fuzzy Hash: C51239B2704341AFDB25DB6888217AABFF29FC6211F14C4AED565CF245DA31CD41CBA2
                                                                            Function 04DE29F0 Relevance: .2, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bcd547348c17357b70880f38028b8bd5896558a53f6aff6baf835761a3a6e31e
                                                                            • Instruction ID: e9a3eb408ee5a7f0754d8f9bdc1783a6779cad9bf864822efe6b288edabb2591
                                                                            • Opcode Fuzzy Hash: bcd547348c17357b70880f38028b8bd5896558a53f6aff6baf835761a3a6e31e
                                                                            • Instruction Fuzzy Hash: F0918B74A00205CFCB15DF5AC494ABAFBB5FF88310B2486A9D915AB365C735FC51CBA0
                                                                            Function 04DE7728 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6112886ad833589cf672971ca6c7abc8183efa3a5d260f9ed6e99b240ecf1d06
                                                                            • Instruction ID: c001911ad478ab53ecaa87d5d7b0be2248bff791310af9225d271391fa197ece
                                                                            • Opcode Fuzzy Hash: 6112886ad833589cf672971ca6c7abc8183efa3a5d260f9ed6e99b240ecf1d06
                                                                            • Instruction Fuzzy Hash: 9551E0347042058FD754EB6AD894A7A7BE6FFC8354B158469D509CB351EB30EC02CBA0
                                                                            Function 04DEBAC0 Relevance: .2, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf655d8895e4b379534ee2896c026c0996360b0333c1432453253a62f40043cd
                                                                            • Instruction ID: e419fda918a6a44f4da378d9dd00000be59a699a8ae327d0596dc7473a1f27a7
                                                                            • Opcode Fuzzy Hash: cf655d8895e4b379534ee2896c026c0996360b0333c1432453253a62f40043cd
                                                                            • Instruction Fuzzy Hash: B5610471E01249CFDB14DFAAD584A9DBBF1FF88310F14812AE919AB354EB34AC45CB60
                                                                            Function 04DEBAB0 Relevance: .1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fcdabdfeb4351e00a638d22db2b651f5e8bda47be71b8786e0db67d9fc0283af
                                                                            • Instruction ID: 899d0f906dc6dd388366870ae1a4047cb1535d048c0b8985fc18f5ef05d7d049
                                                                            • Opcode Fuzzy Hash: fcdabdfeb4351e00a638d22db2b651f5e8bda47be71b8786e0db67d9fc0283af
                                                                            • Instruction Fuzzy Hash: DE511871E01248DFDB14DFAAD584A9DFBF1FF88310F14812AE919AB364EB34A845CB50
                                                                            Function 07AC3CCC Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2223636402.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_7ac0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 209ef5c40151c715f9b16fdad3e6eb4b77884cb58c03c635234db79d2f696899
                                                                            • Instruction ID: 469eb1e577a08d115b57fdf3a9c170b66b8bc481c1c27b4e546320f664b7add3
                                                                            • Opcode Fuzzy Hash: 209ef5c40151c715f9b16fdad3e6eb4b77884cb58c03c635234db79d2f696899
                                                                            • Instruction Fuzzy Hash: 9841D3F1A01202EFDF22CF6485416AABBF2AFC5204F19C4ADD8249F256D731DD45CBA6
                                                                            Function 04DE6FC8 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 566fb96e12e67836cef706f07c6b2c703edb21c9fb8e55c2af0d95b2b8bb9d1c
                                                                            • Instruction ID: dd92b3e39e91d341474d6bac061732b68699d12a038bf34bdca2976fceb1da86
                                                                            • Opcode Fuzzy Hash: 566fb96e12e67836cef706f07c6b2c703edb21c9fb8e55c2af0d95b2b8bb9d1c
                                                                            • Instruction Fuzzy Hash: 22410535B042048FDB55DFA9C568AAEBBF2EF8E711F144098E506AB391DA35EC01CB61
                                                                            Function 04DE2B00 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04500bd548100b9931702d4eb4bef5a51dcc226ef3c2a34b5549f11902fb2376
                                                                            • Instruction ID: 00b0b266fa22b3371d54a29059e8d34ec978149197a8811d872cce8478400cfe
                                                                            • Opcode Fuzzy Hash: 04500bd548100b9931702d4eb4bef5a51dcc226ef3c2a34b5549f11902fb2376
                                                                            • Instruction Fuzzy Hash: 7D4169B4A00605CFCB05CF5AC5989BAFBB5FF48310B1586A9D919AB364C736FC51CBA0
                                                                            Function 04DEC388 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4cc88800fb794f5348d0503b0792c33c8022ef6005b90807211ad7c0c1e1ffe3
                                                                            • Instruction ID: a2eb75585cb0ceabbc6fb15f99fac52fa45f33ab9c7e82c0d7ca6f087506953c
                                                                            • Opcode Fuzzy Hash: 4cc88800fb794f5348d0503b0792c33c8022ef6005b90807211ad7c0c1e1ffe3
                                                                            • Instruction Fuzzy Hash: E83169313016019BE715EB79E854BAAB7A6EBC9215F008239D609CB361EB71E805CBA1
                                                                            Function 04DE6FB9 Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 216768cb61eb782597862340ed3bf3e865de5ba2cefc1c307f1d5f8cbecd4401
                                                                            • Instruction ID: 1c6622fd5b60add3bb6679b0becb1566ddd33bae04d97f568cec8a2e8f09d320
                                                                            • Opcode Fuzzy Hash: 216768cb61eb782597862340ed3bf3e865de5ba2cefc1c307f1d5f8cbecd4401
                                                                            • Instruction Fuzzy Hash: 85310A34B006158FDB54DFA5C568ABEBBF1EB8D311F145068E906AB391DB31EC01CBA0
                                                                            Function 04DEAE60 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 554233bc6cd901d2367c613d2e44208dcec11bb87d5222ca2f872daa720d92e2
                                                                            • Instruction ID: 68e9ff160f1b246e4c16bf872a7e98b8873fbe5296d4b96873c4e827fa9e9c44
                                                                            • Opcode Fuzzy Hash: 554233bc6cd901d2367c613d2e44208dcec11bb87d5222ca2f872daa720d92e2
                                                                            • Instruction Fuzzy Hash: 33314E70B0120A8FDB04EF79D494BBEBAF2EF89314F158069E505EB354EA749C018B65
                                                                            Function 04DEAE70 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7dba31d8adea7808cb2a0b29a6d07ba277b688cfd40aedf8b5bfcb8c0179c165
                                                                            • Instruction ID: b87cb0ded658e5ec2ef899aa696ecb27af0a0f34d8897e31d62daaa0bb444873
                                                                            • Opcode Fuzzy Hash: 7dba31d8adea7808cb2a0b29a6d07ba277b688cfd40aedf8b5bfcb8c0179c165
                                                                            • Instruction Fuzzy Hash: 73314C70B0120A8FDB04EFAAC4947BEBAF6EFC9300F148029E505E7350EA349C018BA5
                                                                            Function 04DEAD28 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 22c8fcab1683811f850b5fce14f885817dd206c8622d8fdfa7c10df1e85bfa87
                                                                            • Instruction ID: 375444d1b70954a0cb163977f5f5fdde8cfb8126dc2b0b5a80c8694736201189
                                                                            • Opcode Fuzzy Hash: 22c8fcab1683811f850b5fce14f885817dd206c8622d8fdfa7c10df1e85bfa87
                                                                            • Instruction Fuzzy Hash: 363191B4B002459FEB04EBA4D854BFE7BB3EFC5304F1584A9C615AB3A4CA75AD018F60
                                                                            Function 04DEAF98 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c793342d2c23557bb6749255a195a520404ede68abfcfb748931d70675b60b5e
                                                                            • Instruction ID: 3599bc4b0f937d9a6f6045313c0d4c53843ed19416b2431b5bedd94ad557c36c
                                                                            • Opcode Fuzzy Hash: c793342d2c23557bb6749255a195a520404ede68abfcfb748931d70675b60b5e
                                                                            • Instruction Fuzzy Hash: 9421AE71A042488FDB14DFAED4407AEBBF5EF89320F14846AD508A7340CB75A905CBA5
                                                                            Function 04DEAD38 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d942947176a1e155e11de64be6700a39e05ae2448b4daa0d7eb6a64a87b10cd9
                                                                            • Instruction ID: eb49fb10b22c2c76c6ee962bf3b1a39de685086da5f86ac13d5c1668e0f6a4b0
                                                                            • Opcode Fuzzy Hash: d942947176a1e155e11de64be6700a39e05ae2448b4daa0d7eb6a64a87b10cd9
                                                                            • Instruction Fuzzy Hash: FD3180B4B002499FEB04EBA4D854AFE7BB7EFC4304F118469D615AB3A4DB35AD018F60
                                                                            Function 04DE93F0 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b87fec47676286a56735da06414433688cbef5087574ac163b2ecb7edac5fba
                                                                            • Instruction ID: 6f0acfda38db94c41e2aaa6c556c826e536bfbdaa0436920fa2265be82b8d191
                                                                            • Opcode Fuzzy Hash: 2b87fec47676286a56735da06414433688cbef5087574ac163b2ecb7edac5fba
                                                                            • Instruction Fuzzy Hash: 5C31ADB09067849EEB60DF6AC08879ABFF2FF89310F28809ED44D9B215D774A445CB65
                                                                            Function 04C4F3D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30456c2bdc0c1a40935f482c3d75e20cb7168655862d72d7554da8d17c6b108d
                                                                            • Instruction ID: ad001e104eec937da4a6dbb403945d1e24f2180929b5f634c963a9eefbcfcbe3
                                                                            • Opcode Fuzzy Hash: 30456c2bdc0c1a40935f482c3d75e20cb7168655862d72d7554da8d17c6b108d
                                                                            • Instruction Fuzzy Hash: FD21B276604200EFDB05DF64DAC0B26BB66FBC8314F24C5ADE9094A256C73AE456CBA1
                                                                            Function 04C4F02C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d297f2ddd57322d8ee1157ecb8a61749069025542e2692204fe7b2e722bd6176
                                                                            • Instruction ID: 92a734e413dee04d298af3e2b2349354a30c6ba4efc10583941a8ee198901dcf
                                                                            • Opcode Fuzzy Hash: d297f2ddd57322d8ee1157ecb8a61749069025542e2692204fe7b2e722bd6176
                                                                            • Instruction Fuzzy Hash: DC21F975604244EFDB14DF24DAC0B16BFA6FBC4314F24C56DDA094B246C376E446CB61
                                                                            Function 04DE9400 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 93f57d8f00c308d6561604ec32c051867a062a9c18611e505f8194b1582fa2d8
                                                                            • Instruction ID: b88f709a17e36f53f8642ffb62b4028d1ace253ce5d88586b0a6246aa6b61b31
                                                                            • Opcode Fuzzy Hash: 93f57d8f00c308d6561604ec32c051867a062a9c18611e505f8194b1582fa2d8
                                                                            • Instruction Fuzzy Hash: 30216DB0A067449EEB60DF6AC08839AFBF2FB88310F28C45ED44D97245D774A441CB65
                                                                            Function 04C4F4CC Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d9c6265d0231f2affe00086d36e4b0293fb983b6900906937ffc39b937545e59
                                                                            • Instruction ID: 5e80b4901f42e4d904a3f2a519faf12ef7fc1f6c990217a312fe2ad4d0056d38
                                                                            • Opcode Fuzzy Hash: d9c6265d0231f2affe00086d36e4b0293fb983b6900906937ffc39b937545e59
                                                                            • Instruction Fuzzy Hash: 262136B1604344DFDB14EF24D6C0B26BBA6FBC4318F24C56DD9094B342C73AE946CAA6
                                                                            Function 04DE7664 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 06fa8e8c018bfac0fe471cb4b2a1243b7270ef0c4840259587a59f7dfcdf9222
                                                                            • Instruction ID: f438ec9c28eb860b72f5a19ef08ff6f3001381eb42bc10e5dd7442277f3945b2
                                                                            • Opcode Fuzzy Hash: 06fa8e8c018bfac0fe471cb4b2a1243b7270ef0c4840259587a59f7dfcdf9222
                                                                            • Instruction Fuzzy Hash: A5111C36700118CFDB44EBA9E8509ED77F6FBC8215B1440A8E909DB361DB30ED028B90
                                                                            Function 04C4F3D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction ID: 7f968e6b0a085c9c55a1c0244d46165f016bf991058cf1c587b47240a30d64d2
                                                                            • Opcode Fuzzy Hash: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction Fuzzy Hash: 82218C76504240DFCB06CF10DAC4B16BF72FB88314F24C5ADE9494A656C33AD56ACB91
                                                                            Function 04DEDCD9 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c29f08f65b98f7e97a375090baa588aa32d67fe069c73efb38afe73403da7e1
                                                                            • Instruction ID: 1f389369985be0d8abad2906bfb15b5ed63dd120ce1ffe3f9032991dba328214
                                                                            • Opcode Fuzzy Hash: 3c29f08f65b98f7e97a375090baa588aa32d67fe069c73efb38afe73403da7e1
                                                                            • Instruction Fuzzy Hash: A5110835B05184DFCB12EB7AE4145FCBFB2EF99211B0444AAD5859B312DD21AC15CBB1
                                                                            Function 04DEC343 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 601784d9310d4310f20390147315425fe52ea027fd11929fccfc3a0b8d1b690c
                                                                            • Instruction ID: 03a68c7a0021d1374dd2295300128de00aaf70da202e765d1d492b1e6ef97f6a
                                                                            • Opcode Fuzzy Hash: 601784d9310d4310f20390147315425fe52ea027fd11929fccfc3a0b8d1b690c
                                                                            • Instruction Fuzzy Hash: 7A115E3120E3D04FD71797389860A963FB09F43214F0A40EBC5C5CF2A3D9158809C762
                                                                            Function 04C4F027 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction ID: 4f14df1ab03a5f0e127390fbafcb5530443006d9231209c341b0a8d65fae302b
                                                                            • Opcode Fuzzy Hash: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction Fuzzy Hash: 8511BB79504280DFCB15CF10D6C0B15BFA2FB84324F28C6AED9094B656C33AE54ACB62
                                                                            Function 04DEBCE0 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2e108b209aa7bd2931421c77b223697aa6149d1c9ad685279741ca539db9eff
                                                                            • Instruction ID: bad3c2a111888349089bab38a606a3002a6383de4a8fc0a989863a6769b1e333
                                                                            • Opcode Fuzzy Hash: c2e108b209aa7bd2931421c77b223697aa6149d1c9ad685279741ca539db9eff
                                                                            • Instruction Fuzzy Hash: AE11C0312083808FD729DB7AD494AA97FE1AF46210F1488EED08ACB6B2CA20F845C700
                                                                            Function 04C4F4C7 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction ID: 2b0b3dd616aa32c23ded8204b2e63d9f8303896e132eca47046f4d1c9e5285e4
                                                                            • Opcode Fuzzy Hash: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction Fuzzy Hash: 3A11E0B5504284CFDB15DF14D6C4B25FBB2FB84314F24C6ADC8494B652C33AE54ACB92
                                                                            Function 04DEBF10 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 640110f2dedf85f72648d8e4a6ffeb303ddbb1a1732e9501f5a2dab265e0d4dc
                                                                            • Instruction ID: 919b0c30b004715b684f78814a6fbe5e3f004cda6b7ef68cf9c0d643cbf9c376
                                                                            • Opcode Fuzzy Hash: 640110f2dedf85f72648d8e4a6ffeb303ddbb1a1732e9501f5a2dab265e0d4dc
                                                                            • Instruction Fuzzy Hash: 91F0A4313093945FD7028A7A9C549B77FEDDF9A62170544ABF844C7362C961DD04CB70
                                                                            Function 04C4D005 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bbf89feac12bab5732f771d03baaadc852b7aef8b48c242093b32ed21e683392
                                                                            • Instruction ID: c1f1de28f47ca3e8b4d6f17c925e8f7c4423c3969331ab3e81d7f051aaf3fb14
                                                                            • Opcode Fuzzy Hash: bbf89feac12bab5732f771d03baaadc852b7aef8b48c242093b32ed21e683392
                                                                            • Instruction Fuzzy Hash: 93015E6140E3C09FE7129B259994B52BFB4DF53224F1D81DBE9888F2A3C2699849C772
                                                                            Function 04C4D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c66b7550a154fc1ab3630023316ae44a148a6a34cc0bc631aa4ff61562b0267
                                                                            • Instruction ID: 7c0cab643a36ef96bf929d4c4a29ffd6cb5d49756ab822f1b135ac72143f6f63
                                                                            • Opcode Fuzzy Hash: 2c66b7550a154fc1ab3630023316ae44a148a6a34cc0bc631aa4ff61562b0267
                                                                            • Instruction Fuzzy Hash: 01012B31504340EAE7105F26EE84B67FF98EFC1320F18C41AED4A0F242C678A945C6B1
                                                                            Function 04DE7940 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 81bff5170684749178b2fd3cbcc80fdfb7d76068717a5508da953cdabf19f824
                                                                            • Instruction ID: d1a1e0669a59035b2a0217afa496d32a8dfa874385ca102df8baa00d1fc94465
                                                                            • Opcode Fuzzy Hash: 81bff5170684749178b2fd3cbcc80fdfb7d76068717a5508da953cdabf19f824
                                                                            • Instruction Fuzzy Hash: D5F046717056509FD7119A65EC50ABF7BF9EFC9221700062EE14EC3341DE246C058770
                                                                            Function 04DEC4C0 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4bc1db5c3b19b84daa3940401942b08922275f5d271cbd52b092f5d0d370e3ea
                                                                            • Instruction ID: 4626695bfe5ef7a3ab1e9ed29ab39dc8bf02addc294d4eca5801d146a47d8a14
                                                                            • Opcode Fuzzy Hash: 4bc1db5c3b19b84daa3940401942b08922275f5d271cbd52b092f5d0d370e3ea
                                                                            • Instruction Fuzzy Hash: 9FF0A4312053859FD316A739D9509AABFB6EFC32587058ABEC149CF322DA25AC09C760
                                                                            Function 04DEDC88 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c6b3dde9bd5a7e9a3ebcac8b79f1f24bd389890531ee45229a83f51d3c26f8af
                                                                            • Instruction ID: 06dac1261d8dfe9cdbeeab5c686443e9a91980d8bfb8964ed3b18c79f859752a
                                                                            • Opcode Fuzzy Hash: c6b3dde9bd5a7e9a3ebcac8b79f1f24bd389890531ee45229a83f51d3c26f8af
                                                                            • Instruction Fuzzy Hash: BCF090313056919FD717661EA8104BA7BABDEC626130504ABD149CB211DE64AC0487F2
                                                                            Function 04DE79AA Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 67be3eca98fc0c1f23d3eac5105d5f3b3e25542ac2e28f18ba913568244f5e83
                                                                            • Instruction ID: 3b8103b50bd625387b8bb554a00246ff9121968a136d30ecc3500591fae32024
                                                                            • Opcode Fuzzy Hash: 67be3eca98fc0c1f23d3eac5105d5f3b3e25542ac2e28f18ba913568244f5e83
                                                                            • Instruction Fuzzy Hash: 9AF0F6717046509FD7129B65EC90ABF7BF5EFCA321700052ED14DC7351CA20AC058770
                                                                            Function 04DE90D8 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ee7900ea3aeea489e726a7986b675c8347aee7a7aafcb7739ed7364414bd333c
                                                                            • Instruction ID: 865a7cc2753fe70b7500189ffdeb6e1b8e6aa0c1ec27c597f601cb6d0272d3f3
                                                                            • Opcode Fuzzy Hash: ee7900ea3aeea489e726a7986b675c8347aee7a7aafcb7739ed7364414bd333c
                                                                            • Instruction Fuzzy Hash: E2F0A4356092819FE7126B79C4183AA7F61EFC2318F14409AC9854B356CE396C09DBF1
                                                                            Function 04DECB52 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3d349da102080d0ee0279cc2f8a03073e666d656771460582e8eeaa8cbea8c10
                                                                            • Instruction ID: 1c6a5de3f84b4a87498f0685cb0407a6109bb3f08fddbc70676624e5aaf94f89
                                                                            • Opcode Fuzzy Hash: 3d349da102080d0ee0279cc2f8a03073e666d656771460582e8eeaa8cbea8c10
                                                                            • Instruction Fuzzy Hash: 2AF0BB3020A3C05FD317533D585186D7FB6DDC32503194ABEC18ADB663CA285C09C772
                                                                            Function 04C4D9A7 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13ed7969824be0eb1d3d5174e7d794179d7a6c4513e9514c90f850d049fd81ee
                                                                            • Instruction ID: 3dab216231623331d8a3759b613f060569f1b74c72066e816b83d4b68adc3c08
                                                                            • Opcode Fuzzy Hash: 13ed7969824be0eb1d3d5174e7d794179d7a6c4513e9514c90f850d049fd81ee
                                                                            • Instruction Fuzzy Hash: BAF0F976200604AF9720DF0AD985C23FBADEBD4770719C55AE84A8B751C671FC41CAA0
                                                                            Function 04DEDE38 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e18f7884270d5bda2cf0b6fd4a30039a8ee010bcf80183959f9cf58b817823ee
                                                                            • Instruction ID: e2eaa66270769cc8c1dfc2bfb81c679c706f0b90340e057afe549282210e9d51
                                                                            • Opcode Fuzzy Hash: e18f7884270d5bda2cf0b6fd4a30039a8ee010bcf80183959f9cf58b817823ee
                                                                            • Instruction Fuzzy Hash: 08F05E353042418FC3119F1DD898876BBFAEFCA71532900AAE584CB332DE61EC01CB90
                                                                            Function 04DE7950 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85ee55690192a7b6d2abc1bd78f25cf4ce77a23bfa11f17a90c15af52d8ce3c9
                                                                            • Instruction ID: ad277da95b50c1cd0e4055ef06dd6a67d88c358666f850498ea9b6a60ac25544
                                                                            • Opcode Fuzzy Hash: 85ee55690192a7b6d2abc1bd78f25cf4ce77a23bfa11f17a90c15af52d8ce3c9
                                                                            • Instruction Fuzzy Hash: CDF0A0717006149FE714AAAAE884A7FB7FAEBC9275B00092DE10ED3340DF30AC0187A0
                                                                            Function 04C4D998 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2206861027.0000000004C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C4D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4c4d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 649ed197e6d2bb98c667659e4b2615ed2b7fa43667c5a0df833c83def40d4d7d
                                                                            • Instruction ID: 5bcfbd03d59c93f0e0e095d0bc871527b94f424e74af366b60aab22c48074fa0
                                                                            • Opcode Fuzzy Hash: 649ed197e6d2bb98c667659e4b2615ed2b7fa43667c5a0df833c83def40d4d7d
                                                                            • Instruction Fuzzy Hash: 9CF01D75104A80AFD725CF06CD85D23BBBAEBD5720B198589E84A8B352C671FC42CF60
                                                                            Function 04DEC4D0 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 198baadb48aa59460b8e87c3474e8f0b8fa95af05836285275abd50312bec3da
                                                                            • Instruction ID: 57832e605d9ce6bdb3e3d2372b19374ea71aa877f660b97f0792403e1e5ecc4e
                                                                            • Opcode Fuzzy Hash: 198baadb48aa59460b8e87c3474e8f0b8fa95af05836285275abd50312bec3da
                                                                            • Instruction Fuzzy Hash: F5F0A7313012459BE314EB39E9509ABBBA7EFC62697008A3DD6098B720DE35FC05C7E4
                                                                            Function 04DE767F Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53fdc91eb6183ec123f8421d4dd6c48d8edd71687acc9a72825448853f84e446
                                                                            • Instruction ID: 23708d69bfad328ea9a689ee89242fdec245afa0a1296b010d9e25b37f382403
                                                                            • Opcode Fuzzy Hash: 53fdc91eb6183ec123f8421d4dd6c48d8edd71687acc9a72825448853f84e446
                                                                            • Instruction Fuzzy Hash: 49F03039700514CFDB50EBADD8505A97BA2FBC97597194198E909CB365DF24EC024B90
                                                                            Function 04DE90E8 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d0b64ac37330da874ad51eae63d88a8d2da032198fc3b477ca72495356ef6753
                                                                            • Instruction ID: bbf6b9571d0e525803afad809ba03ef8b307b9733264f6d34ebffb1c815282b1
                                                                            • Opcode Fuzzy Hash: d0b64ac37330da874ad51eae63d88a8d2da032198fc3b477ca72495356ef6753
                                                                            • Instruction Fuzzy Hash: 89F0A0757041458BE714ABA9D0187EB7BA6EBC4718F14816ADA0A87384CE3E7C05DBE1
                                                                            Function 04DE9158 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6ac888e94cf7d0ec79e48de471d53427af4880952c19fb69b1fcbb96dab111d
                                                                            • Instruction ID: 1849ba5a457ab660b4108009a5eed537d4e06d94b72870bf22a3df0f87f2177e
                                                                            • Opcode Fuzzy Hash: b6ac888e94cf7d0ec79e48de471d53427af4880952c19fb69b1fcbb96dab111d
                                                                            • Instruction Fuzzy Hash: 5FF05471A0A3808FD3519B7894A839A7FF1EB46310F05489ED59AC7252D7346885CB61
                                                                            Function 04DEDE48 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 97bcd98583d0900298ac779d2edecaa93272c9145541aab2c9ed355de62d423a
                                                                            • Instruction ID: 9ba8c116cab9855a7cfa69f74a45d4f9d2a24b967928e4c74f98919a81e3610a
                                                                            • Opcode Fuzzy Hash: 97bcd98583d0900298ac779d2edecaa93272c9145541aab2c9ed355de62d423a
                                                                            • Instruction Fuzzy Hash: CEE0ED353001118F8310AB1ED458C66B7FAEFCEB5571900A9E585CB321DE61EC01CB90
                                                                            Function 04DEC33F Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e825021e12c9fe2bfcc48efcbe0bd2265ed25ee4c735ce76c310b09693aa6869
                                                                            • Instruction ID: a48ebaf936caebba4ede864d04f13d89e097b1f053272586adcaf930dc78b905
                                                                            • Opcode Fuzzy Hash: e825021e12c9fe2bfcc48efcbe0bd2265ed25ee4c735ce76c310b09693aa6869
                                                                            • Instruction Fuzzy Hash: E2E09B367051104FD724927AD454AB777E6DFC4360B14403DD549C7391ED61D805C660
                                                                            Function 04DEAF88 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0fd3c07560949e0c054b417c5420d5071df9e27b704ad5991990c5acd69cc6fe
                                                                            • Instruction ID: 5c0de31f4789d3d71f50a7bc9464b1e331da7f07dc1bda44c964ef1d35890fa1
                                                                            • Opcode Fuzzy Hash: 0fd3c07560949e0c054b417c5420d5071df9e27b704ad5991990c5acd69cc6fe
                                                                            • Instruction Fuzzy Hash: A8E09A2130E3D25F8B17A22E6814066BF678EC362430A80FBE184CF352DD129C06C3B1
                                                                            Function 04DECB68 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6ac7e9c98fba688748b27df802e6afb2d78cac381ada9e4a305438b7f2c6ec93
                                                                            • Instruction ID: daa589218e9e0ae70e54bf0f501c4e4759dcbe44e37e1926bb86824df4158654
                                                                            • Opcode Fuzzy Hash: 6ac7e9c98fba688748b27df802e6afb2d78cac381ada9e4a305438b7f2c6ec93
                                                                            • Instruction Fuzzy Hash: 23E0DF313002001BA268B26EAC91D6EBAABDEC6260354893DC60E97710DE34AC0553A5
                                                                            Function 04DE9549 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e51d7bb9b52ad7a1bee12495fb9214b9e202c0db0cdf360d6504804f22071a02
                                                                            • Instruction ID: 4a14339fa1db68354ff2e7cdf0762841763486984af15a5294e65b44278b8f70
                                                                            • Opcode Fuzzy Hash: e51d7bb9b52ad7a1bee12495fb9214b9e202c0db0cdf360d6504804f22071a02
                                                                            • Instruction Fuzzy Hash: BCE0C222B061221F6A6970AB09542BA65CECFC10993090079EA04C7301EC44EC0543F0
                                                                            Function 04DE9168 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 63ea8e32f260c0449bdbb6093ca0a20535f9c4dc60ab47f6888d1059ed236bc3
                                                                            • Instruction ID: ec3b8bb85627a3ba547db6dff8b2909bfe50d85809c0027dca0627abc3dc8e62
                                                                            • Opcode Fuzzy Hash: 63ea8e32f260c0449bdbb6093ca0a20535f9c4dc60ab47f6888d1059ed236bc3
                                                                            • Instruction Fuzzy Hash: 81F0ED70A053049BD764AFB9D49C79A7BE5FB44314F00446DE55ED7340DB39A8808BA0
                                                                            Function 04DEF3C0 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c392222231125d56a186777f6e4a63ca61eee3c9748f2b67a7f4478b2fd0ecec
                                                                            • Instruction ID: af54fe56fbe7790224054840ce2c59d85769e834ba0dde411e0f5446998a9e24
                                                                            • Opcode Fuzzy Hash: c392222231125d56a186777f6e4a63ca61eee3c9748f2b67a7f4478b2fd0ecec
                                                                            • Instruction Fuzzy Hash: 15E01274D042496F8B81EFBC88421AEFFF4AB45110B50C1BFC849D7212F6315A01CBE2
                                                                            Function 04DE8978 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: deb6e733e3579468a87a8b368dbf778c2336ae7137084a1e9ec95eabfeb6aa47
                                                                            • Instruction ID: 9c558c59d4be51de8d46eb8fe3d741e8fdbd668ad877b4d1e1fb889f7af36d2e
                                                                            • Opcode Fuzzy Hash: deb6e733e3579468a87a8b368dbf778c2336ae7137084a1e9ec95eabfeb6aa47
                                                                            • Instruction Fuzzy Hash: F1E0DF3170526447CB093775A40C2AE7A66EBC4725F00002ED606C3341CF78A80183F5
                                                                            Function 04DE8973 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e04407c68e04241bf24cace7a0d6f49a0b460ee34acac73a1390bb06601e164a
                                                                            • Instruction ID: 455ae2bc1a7eea0552c9072844068827fb1055fcfd9aaf52bf105f1a83b6845f
                                                                            • Opcode Fuzzy Hash: e04407c68e04241bf24cace7a0d6f49a0b460ee34acac73a1390bb06601e164a
                                                                            • Instruction Fuzzy Hash: 90E0D83170515187DB093774900C2BD7662FBC4725F00012FD517C3341CF786811C3A5
                                                                            Function 04DE9550 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e58ad8eb840ac00ab104a98aa14d1fca591a271f9688779d5ac2b2c662fe6531
                                                                            • Instruction ID: 9685fb62486a675714f7cd296d4d818e127fceeff7f19be3598c3aef386acb8d
                                                                            • Opcode Fuzzy Hash: e58ad8eb840ac00ab104a98aa14d1fca591a271f9688779d5ac2b2c662fe6531
                                                                            • Instruction Fuzzy Hash: 57D05E12B061221B5A6470BB19147BBA5CECBC54A97490076EA09C3242EC44EC0653F1
                                                                            Function 04DEDCE8 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction ID: 5173855c40e76a52468c1278ad81722204e31c395c3cb84613aca5dcff5ea70a
                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction Fuzzy Hash: 39E08631B10114978B08995AD4144FDF7AADBCC220F04807AD94AA7340EE32A91586E1
                                                                            Function 04DEDC98 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1f3d3aa72fca3411de42d54f082127d52b9e1493e8e16b992bf989d2627263d2
                                                                            • Instruction ID: d29a1d71e0c90419a524f931f415a1ba09bcd0a54d3cf22c81ebbc16555dbe8c
                                                                            • Opcode Fuzzy Hash: 1f3d3aa72fca3411de42d54f082127d52b9e1493e8e16b992bf989d2627263d2
                                                                            • Instruction Fuzzy Hash: 35E0C231700A11479225B72FB8109AFB7EBDFC9675310442EE10AC7300DE68EC0187E5
                                                                            Function 04DEC580 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56e80b81c671687804d0e5e081d589c3d2af7270c593d105ef91bb3d67ac4612
                                                                            • Instruction ID: 46a30e9708a9efc282927a72ce0ee3ef57ad0a89b77723e007b4c8df42a2933a
                                                                            • Opcode Fuzzy Hash: 56e80b81c671687804d0e5e081d589c3d2af7270c593d105ef91bb3d67ac4612
                                                                            • Instruction Fuzzy Hash: 12E086323085505F9315A76CE818415BBF5EBD665134500BEE609C7351EE25EC0487E5
                                                                            Function 04DE8739 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 972e450c8a09e92b98cdb4769f2a6d0b7aecd1a823b3cb70c12fb14881328139
                                                                            • Instruction ID: 4dc574f4623edc936a5245e7c10320cae8e563b3c99c0d032cbee06c9113b57c
                                                                            • Opcode Fuzzy Hash: 972e450c8a09e92b98cdb4769f2a6d0b7aecd1a823b3cb70c12fb14881328139
                                                                            • Instruction Fuzzy Hash: CFE01230819249CFCB0ABB79D8094ADBF30EE12301B4101ADD55797252DB319D4ACBD1
                                                                            Function 04DE8800 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 26ac532cdfbf85109c177e62c426287fb1e163e4981ea18156f07685434198d3
                                                                            • Instruction ID: c0e641938df18c5accf58b220b1b52c6e3b4abd35ce430b4e7938ae3da365fbe
                                                                            • Opcode Fuzzy Hash: 26ac532cdfbf85109c177e62c426287fb1e163e4981ea18156f07685434198d3
                                                                            • Instruction Fuzzy Hash: C1E0DF31A0A28BCFC705EB78E08606DBFB0EF17204B004898E98597341EB309844CF81
                                                                            Function 04DEC590 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 58c9c4a6d9ca3cb7a343ae5bd9c57f675e7911319f79ba42e097ac5c2575a9f8
                                                                            • Instruction ID: 2f3d206cfd38aebaea036cef03753430c767e72ddbd7bd04ebb65b320c42a753
                                                                            • Opcode Fuzzy Hash: 58c9c4a6d9ca3cb7a343ae5bd9c57f675e7911319f79ba42e097ac5c2575a9f8
                                                                            • Instruction Fuzzy Hash: 42D0A7313004101B5214A36DB40855A77FADBC9562304003EE60DC3340FE31EC0983E4
                                                                            Function 04DEF3D0 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction ID: acc0cb104fbd563b406d48cd887f48e4e9bb38d702dfdf49a8acc0b4a76ee475
                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction Fuzzy Hash: F6D06270D042099F8780EFADC94156DFBF4EB48200F5085AE891DE7301F73196128BD1
                                                                            Function 04DE8748 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2500c02d25b146895b177a95f51f8c344291ef1aeef48b7addb19f7f95e2ff23
                                                                            • Instruction ID: cc69a0bf8024aeb68e9cd56d3de30c69ab7466825fca21ba1cceb88d6693016a
                                                                            • Opcode Fuzzy Hash: 2500c02d25b146895b177a95f51f8c344291ef1aeef48b7addb19f7f95e2ff23
                                                                            • Instruction Fuzzy Hash: 5DD06731D151098BCB08BBA5E85E4BDBB74FA14302F40416DEA2752291EB31AA5ACAC5
                                                                            Function 04DE8810 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e0e9c5044aab8f0b8cb71894294f9aea7d904fc068ccbf940a564a51cd0369b
                                                                            • Instruction ID: bddc28a6d545b4eb774e86c650c2a2db6b80aa2b56906a83d0c01b2de78025d0
                                                                            • Opcode Fuzzy Hash: 8e0e9c5044aab8f0b8cb71894294f9aea7d904fc068ccbf940a564a51cd0369b
                                                                            • Instruction Fuzzy Hash: E0D01234E0520A8B8714EF65D44A46DBBB4E745205F004159DA4693344EB30A801DBC1
                                                                            Function 04DE7E90 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 98eec394b731d9499dd26d9beadd3ad2875164c5eccc2d456603adb10f3c5628
                                                                            • Instruction ID: bb164f5e8b8cf9d459f088a4731a518a346db3a65187787b91c4edaabab17db4
                                                                            • Opcode Fuzzy Hash: 98eec394b731d9499dd26d9beadd3ad2875164c5eccc2d456603adb10f3c5628
                                                                            • Instruction Fuzzy Hash: 92C02BD19283E00FEF0282300C7104BBFF05443301B5B91C2D900DB1A2C814CC00C3B1
                                                                            Function 04DE7925 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4049836a209fd4a732af7ffd29b2c23304a7fda4298e9a32fe5d81a91a4342f3
                                                                            • Instruction ID: e3962112f2d70bf693d1bd2c06debbb7390817bf67ed2b43b910c4306f5d40ac
                                                                            • Opcode Fuzzy Hash: 4049836a209fd4a732af7ffd29b2c23304a7fda4298e9a32fe5d81a91a4342f3
                                                                            • Instruction Fuzzy Hash: 34C04C345863849FC7169F75A4449587B69AE4122535405ADD84E5A663CA72C489CF00
                                                                            Function 04DE7928 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.2208023320.0000000004DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_4de0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1f7e2e3ea44339ad9f50f694d0460cea08f20467e3004d8da369f415e2b0dfa
                                                                            • Instruction ID: 2826ccd420403c9cef0f19dc441611dbd172b5d71ce30902fadc4bcd90243b46
                                                                            • Opcode Fuzzy Hash: d1f7e2e3ea44339ad9f50f694d0460cea08f20467e3004d8da369f415e2b0dfa
                                                                            • Instruction Fuzzy Hash: 51B092301867488FC3486F75A804914732DAB4022538004A8E80E0A2A28F76E884CB44

                                                                            Executed Functions

                                                                            Function 0424B470 Relevance: .3, Instructions: 268COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0b02f72e0e0de182351e8e156ddf8bca80129e081dac3ae882dbaedb5011279c
                                                                            • Instruction ID: 88d1e30629c3e6217ecdc4d2c328c1a643a8fcaa8b6630a22f068789e4d4aa4f
                                                                            • Opcode Fuzzy Hash: 0b02f72e0e0de182351e8e156ddf8bca80129e081dac3ae882dbaedb5011279c
                                                                            • Instruction Fuzzy Hash: 4A917FB1F416559FEB59EFB498106AE7BB2EFC4700B40891DE106AB340DF34AE068BD5
                                                                            Function 0424B490 Relevance: .3, Instructions: 252COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bcdcc7d76953520683620a76aeb3c81fccc82282fb9ecd106bc011889b464c32
                                                                            • Instruction ID: d61628358a065eb2e58f815a85884a4b8ed8a38e3790054c81d8129fe17ab8b8
                                                                            • Opcode Fuzzy Hash: bcdcc7d76953520683620a76aeb3c81fccc82282fb9ecd106bc011889b464c32
                                                                            • Instruction Fuzzy Hash: CD9190B1F416559FEB59EFB498106AE7BA3EFC4700B40891DE106AB340DF34AE068BC5
                                                                            Function 070B2308 Relevance: 8.2, Strings: 6, Instructions: 651COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2270679507.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_70b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k$pi_k$pi_k$pi_k$pi_k$|,ak
                                                                            • API String ID: 0-1153659919
                                                                            • Opcode ID: bc461fd54d96fbb1c58169e29feee7c6f28bbf5b4c121f19889a4b37c7b63868
                                                                            • Instruction ID: 5fd0ea557aae03b695bf4aef7cece2e6da9251078a88eb00203052d094fbb1ac
                                                                            • Opcode Fuzzy Hash: bc461fd54d96fbb1c58169e29feee7c6f28bbf5b4c121f19889a4b37c7b63868
                                                                            • Instruction Fuzzy Hash: 9B2214B1B00306DFDB719F6888506EABBE1FF8A211F1485AAD519DB251DB31CE41CBA1
                                                                            Function 0424E5B9 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k
                                                                            • API String ID: 0-3929962084
                                                                            • Opcode ID: 110919da403ce359b7ddf27e90a007af0b25c8cdcfbc1eef819174660f1badeb
                                                                            • Instruction ID: e96ac7e78902b8da3249b615c18906ab8e0e4c66a79431a6a77862201bf99698
                                                                            • Opcode Fuzzy Hash: 110919da403ce359b7ddf27e90a007af0b25c8cdcfbc1eef819174660f1badeb
                                                                            • Instruction Fuzzy Hash: CA414A71A04209DFDB15DFB8E9546DDBBB2FF89300F1085A9E415AB350DB34AE05CB91
                                                                            Function 0424E610 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k
                                                                            • API String ID: 0-3929962084
                                                                            • Opcode ID: 5aac83739fa4e121811a00cc641286912b1f4d9d4d506c355deadb60a94cbb10
                                                                            • Instruction ID: 987748811e545698cef52d57178ca6faf1c68655f2d7d036f548f259f4789285
                                                                            • Opcode Fuzzy Hash: 5aac83739fa4e121811a00cc641286912b1f4d9d4d506c355deadb60a94cbb10
                                                                            • Instruction Fuzzy Hash: 61418831A00205CFCB15DFB8E854ADEBBB2FF89210F148569E415AB391DB34AD01CB91
                                                                            Function 0424E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k
                                                                            • API String ID: 0-3929962084
                                                                            • Opcode ID: 4043ee679d97b1ca158bbc286b4a7d3d3cb63d2237f7dde4783f14f6e76f80b2
                                                                            • Instruction ID: 264dea8d455c4b16a7be22fe9b6302596357aee3bf671769c2b1b21698955763
                                                                            • Opcode Fuzzy Hash: 4043ee679d97b1ca158bbc286b4a7d3d3cb63d2237f7dde4783f14f6e76f80b2
                                                                            • Instruction Fuzzy Hash: FE311771A00616DFDB14DFB9E594A9EBBF2FF89304F108568E416A7390DB34AD05CB90
                                                                            Function 0424E7B8 Relevance: .3, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 971565a579873f235fa01071461bdb0121fe5cc5f11681da4b14ceaa791166ac
                                                                            • Instruction ID: a14214462fbd73dd2593eacfffbd8141e75bd2e1060dcb0e3210673f99b78044
                                                                            • Opcode Fuzzy Hash: 971565a579873f235fa01071461bdb0121fe5cc5f11681da4b14ceaa791166ac
                                                                            • Instruction Fuzzy Hash: 08912874B20225CFEB18DFA9D45466DBBE6BFC9710B158069E906EB394DB70EC01CB90
                                                                            Function 042429F0 Relevance: .2, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1dececfc0d61d9d409a25db2c7498683c4090e671714705a918d751955f09d8b
                                                                            • Instruction ID: b0a457221dad7c66cb32f4659bf72e60517e49b4aba5da5800bdd82f7b85f01c
                                                                            • Opcode Fuzzy Hash: 1dececfc0d61d9d409a25db2c7498683c4090e671714705a918d751955f09d8b
                                                                            • Instruction Fuzzy Hash: 1B919174A00205CFCB19CF59C494AAEFBB5FF88310B2586A9E915AB395C735FC51CBA0
                                                                            Function 04247740 Relevance: .2, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e0e45d062d9ec0d47fa4d97c70cf1b4d11f75d06cd72f386fb4dd22b51327cc2
                                                                            • Instruction ID: baf8d9970a6426742fbf6944736f033c34eff59fa878248c5b22115b2a858e52
                                                                            • Opcode Fuzzy Hash: e0e45d062d9ec0d47fa4d97c70cf1b4d11f75d06cd72f386fb4dd22b51327cc2
                                                                            • Instruction Fuzzy Hash: F151F3303142059FD718DB79E854A6A7BEAFFC9324B1585B9D519CB351EB31EC02CBA0
                                                                            Function 0424BAC0 Relevance: .2, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 377dc93404bc642405e4eb14e71b21b493435a0dc7a4a663419fd2cb7292800a
                                                                            • Instruction ID: e8c5b351be502a0b4ee9e576f10419d789fdc0276778eb206398d69ebaafdf59
                                                                            • Opcode Fuzzy Hash: 377dc93404bc642405e4eb14e71b21b493435a0dc7a4a663419fd2cb7292800a
                                                                            • Instruction Fuzzy Hash: 4E611571E00249DFDB18CFA9D584B9DBBF1EF88310F15812AE819AB254EB74AD45CB60
                                                                            Function 0424BAB0 Relevance: .2, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ba367678c4304b823e201bb033cccf95440c6cfcdf963c61c46a7403c23fecf4
                                                                            • Instruction ID: 806079cd157d8f1d223a77745ead4a564b662ab1c18724918707326b6a362483
                                                                            • Opcode Fuzzy Hash: ba367678c4304b823e201bb033cccf95440c6cfcdf963c61c46a7403c23fecf4
                                                                            • Instruction Fuzzy Hash: 705103B1E00248DFDB18CFA9D584B8DFFF1EF88310F15816AE819AB254EB74A945CB51
                                                                            Function 0424E419 Relevance: .1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f88fa93b99618fc58f8dbd68e24ff7709b99af61618c5bdd024bcde1e131300c
                                                                            • Instruction ID: d66f9af3798424a227a2c077e8572fbd1d89570a457174e09ce79e8a3294609a
                                                                            • Opcode Fuzzy Hash: f88fa93b99618fc58f8dbd68e24ff7709b99af61618c5bdd024bcde1e131300c
                                                                            • Instruction Fuzzy Hash: 08512AB4B102068FDB18DF6CD594A6ABBE6FFC8354B198569E509CF355EB30EC018B90
                                                                            Function 070B3D9D Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2270679507.00000000070B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070B0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_70b0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 03c1d09d590ee2611e8066a0632fe356614f7c10440d3143b611d2b9e319fcee
                                                                            • Instruction ID: 6064780124678c2d45a491532cc36801950c1721472e515ac48baf19d5e2c2ea
                                                                            • Opcode Fuzzy Hash: 03c1d09d590ee2611e8066a0632fe356614f7c10440d3143b611d2b9e319fcee
                                                                            • Instruction Fuzzy Hash: 60417AB1B002508BD77597B8D4116EEFBE2DFC2219B2086BBD5218B385DE31DE05C7A1
                                                                            Function 0424E428 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9eb3aab2cdfa30c69af885e19f89aa4b1b49ec95d0b00ab1f8c67f60e58dbdcc
                                                                            • Instruction ID: 28420a7e234fd66ef6abaf464484d7e148d0a36c971513bd59dad4affd7dcd76
                                                                            • Opcode Fuzzy Hash: 9eb3aab2cdfa30c69af885e19f89aa4b1b49ec95d0b00ab1f8c67f60e58dbdcc
                                                                            • Instruction Fuzzy Hash: CB41FAB4B10206CFDB14DF6CD594A6ABBE6FFC8354B598468E509CB355EB30EC018B91
                                                                            Function 04246FE0 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20512623e47345392596e0dd5fcdb53940fa95498f505399868223371554075b
                                                                            • Instruction ID: ed61911ba6c47b664dd7424c2fedf962ab07fb12c398eb8df1ab1300effd77e7
                                                                            • Opcode Fuzzy Hash: 20512623e47345392596e0dd5fcdb53940fa95498f505399868223371554075b
                                                                            • Instruction Fuzzy Hash: 91411B34B15205CFDB19DFA8C464AADBBF1EFC9311F145098E416AB391DB35AC01CB61
                                                                            Function 04242B00 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d005d8e21d2b5606b542c8785afa822af84db8154e5bc11ac5f48fa88d0d13b3
                                                                            • Instruction ID: 5c6b204a8b192a4f6d4543d13d9ec0b57462d27e06dc709d50448bdc6166ab5a
                                                                            • Opcode Fuzzy Hash: d005d8e21d2b5606b542c8785afa822af84db8154e5bc11ac5f48fa88d0d13b3
                                                                            • Instruction Fuzzy Hash: 26419D74A00205CFCB09CF59C198AAEFBB5FF88310B118599E915AB364C336FC91CBA0
                                                                            Function 0424C388 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c6f4db9e51d40531fd08440a6c4b202908abf71699af63dba361699493207cd
                                                                            • Instruction ID: 5aeb4c2bd100044cc733d42720ba940bb883a239271008b913d08c9609dce923
                                                                            • Opcode Fuzzy Hash: 3c6f4db9e51d40531fd08440a6c4b202908abf71699af63dba361699493207cd
                                                                            • Instruction Fuzzy Hash: D93180353016119FD719DB79E854BAAB7A6EFC9310F008639E609CB350EF71A845CB91
                                                                            Function 04246FD1 Relevance: .1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf9ae22291478e5ce878f12431ccf7d372c470caaac9396d39e7339a2655aa2b
                                                                            • Instruction ID: 3c82bbf1cc7711843e93b9e9e5a8afde74955c0fe7ef7e89efd2d151d392fe06
                                                                            • Opcode Fuzzy Hash: cf9ae22291478e5ce878f12431ccf7d372c470caaac9396d39e7339a2655aa2b
                                                                            • Instruction Fuzzy Hash: DB31F974B10146CFCB19CFA4C558AA9BBF1EBCD315F2850A8E416AB351DB75EC02CB61
                                                                            Function 0424AE6F Relevance: .1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e58111f3a4b7a4310929d85eee0c9d180dcfb0d9db367de72882590ac218e270
                                                                            • Instruction ID: e570e292b2d9a6a057914779dc419a52722aedacb644942dea60c21ff2aabc4c
                                                                            • Opcode Fuzzy Hash: e58111f3a4b7a4310929d85eee0c9d180dcfb0d9db367de72882590ac218e270
                                                                            • Instruction Fuzzy Hash: 183149B0F502099BDB18DFA9D4957AEBBF6EFC9300F158029E405EB350EA759C418BA1
                                                                            Function 0424AE70 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e37dc8de0de5fb8b062b3d210f89d26b6484904e219b7f5892f18d694691db23
                                                                            • Instruction ID: 4b1dee5d2644e737639d1469457b4000e239fcb4a766773ce9d80c22048e9906
                                                                            • Opcode Fuzzy Hash: e37dc8de0de5fb8b062b3d210f89d26b6484904e219b7f5892f18d694691db23
                                                                            • Instruction Fuzzy Hash: 29314AB0F502099FDB18DFA9C4947AEBBF6EFC9300F158029E405EB350EA759C018B61
                                                                            Function 0424AF98 Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4645a365b91301467c78005b36bee614ce338124485c3d4e5f89bf426b7199ca
                                                                            • Instruction ID: d393f3660f70800f6bdfd0f535b4a68897bf4c6cbf993f81a52e172b1507265b
                                                                            • Opcode Fuzzy Hash: 4645a365b91301467c78005b36bee614ce338124485c3d4e5f89bf426b7199ca
                                                                            • Instruction Fuzzy Hash: 1321DC76A042488FCB14DFAED85079EBBF5EFC9320F14842AD508A7340CA79A9058BE5
                                                                            Function 042493F0 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bbbf5661f525c5215b75483c5252b05e62bbde41e82e839caa8b9a16d2f0038a
                                                                            • Instruction ID: 67175e11c4715031b2f315a5d032e915930374bd40f820c415054f702d14e1ec
                                                                            • Opcode Fuzzy Hash: bbbf5661f525c5215b75483c5252b05e62bbde41e82e839caa8b9a16d2f0038a
                                                                            • Instruction Fuzzy Hash: FD3189B5A157448EDB64CF7AD0883CAFBF2EF88320F28842AD44D9B245D6746481CF61
                                                                            Function 0424E057 Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c6230f71e97ac340f7ba9709855b38f4705fd419490dd18129cd135809662b2
                                                                            • Instruction ID: 862920103c4cf370733be25f2a20c9e10c2dbb8fe31238ebc8cfbdd26d6dae49
                                                                            • Opcode Fuzzy Hash: 1c6230f71e97ac340f7ba9709855b38f4705fd419490dd18129cd135809662b2
                                                                            • Instruction Fuzzy Hash: 83311674B00205CFDB18DF68D458A9EBBF2FF88310F054569D406A7350DB78AC41CB95
                                                                            Function 0424AD37 Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9016626cfcf3f60a3b45053cf4cba40bf98df1a108aa70409fa6c450e1a7220
                                                                            • Instruction ID: e313dbe8b45bca0b498e236aa9d2f7c9413ae0073df4706701f52301a392c1c3
                                                                            • Opcode Fuzzy Hash: c9016626cfcf3f60a3b45053cf4cba40bf98df1a108aa70409fa6c450e1a7220
                                                                            • Instruction Fuzzy Hash: DB314CB4E402099FEB48EFA4D854AEE77B7EF84300F1184A9D611AB394DE35AD018F94
                                                                            Function 0424E058 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9de709a3f65c7d00b9fd6554a898ee0213f64d6d2f267af3fa429fd50bb06a8d
                                                                            • Instruction ID: dcdbdf85eddc86d822ede1601954db313ebc1468ab0a5c5a639cb265db177614
                                                                            • Opcode Fuzzy Hash: 9de709a3f65c7d00b9fd6554a898ee0213f64d6d2f267af3fa429fd50bb06a8d
                                                                            • Instruction Fuzzy Hash: 47311474B00205CFDB18DFA8D858A9EBBF2FF88310F054569D406AB3A0DB78AC41CB95
                                                                            Function 0424AD38 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 110ab4e3df24e60344c3d0fc31691a995e19d2fb23a186214fe8256af2bbbebf
                                                                            • Instruction ID: 070131583d8bb430f173d71ac3f1e48c2a6fcfb519f063928a8fb8ef6a18bc0b
                                                                            • Opcode Fuzzy Hash: 110ab4e3df24e60344c3d0fc31691a995e19d2fb23a186214fe8256af2bbbebf
                                                                            • Instruction Fuzzy Hash: 28314CB4E402099FEB48EFA4D854AAE77B7EF84300F1184A9D611AB394DE35AD018F94
                                                                            Function 02A7F3D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f8c150f7f4df4eda551de57a8ca6095757c17a92b3f8c800ad6624e409cefd0
                                                                            • Instruction ID: 7d41850fbc817b3d1dac6ffa68c6c22b33bd70cd57f73c32269b7f45166c26f1
                                                                            • Opcode Fuzzy Hash: 7f8c150f7f4df4eda551de57a8ca6095757c17a92b3f8c800ad6624e409cefd0
                                                                            • Instruction Fuzzy Hash: 65210072600200EFDF05DF14D9C0B26BBB1FB88314F20C5ADE9098A656CB3AD956CBA1
                                                                            Function 02A7F02C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 952d8b208a609043dc0b093f7e5379348a0565a81fd88c2ccac1b6ca8a0dedee
                                                                            • Instruction ID: 8e81cf7dd2a6bd2fc77dc9cfb955df3257a7c3fb47b8bfd7b2703baaf32c77c9
                                                                            • Opcode Fuzzy Hash: 952d8b208a609043dc0b093f7e5379348a0565a81fd88c2ccac1b6ca8a0dedee
                                                                            • Instruction Fuzzy Hash: 6E213475604200EFDB10DF24DDC0B26BBA1FB94324F20C56DD90A8B746DB3AD94BCA61
                                                                            Function 02A7F4CC Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f14e92314e79f88668c225d7c15041bb3af8fec19439a21baefe7e42df8de85a
                                                                            • Instruction ID: df82c94986869555547c09e433f896a5f516208adfc2df99d5f6934e223ffe0b
                                                                            • Opcode Fuzzy Hash: f14e92314e79f88668c225d7c15041bb3af8fec19439a21baefe7e42df8de85a
                                                                            • Instruction Fuzzy Hash: 572127B1604240DFDB24DF24DDC4B26BBB5FB84718F20C66DD9098B741CB3ADA46CA65
                                                                            Function 04249400 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 397716e2b5c5acfd002349d322c4f8e177e7d2fda4959ba42ab9d7b12a536ebb
                                                                            • Instruction ID: 4e6202ab8bd5331b2277dadfa51ad77455cffc95c5dbe59703a3c8d6f993e71a
                                                                            • Opcode Fuzzy Hash: 397716e2b5c5acfd002349d322c4f8e177e7d2fda4959ba42ab9d7b12a536ebb
                                                                            • Instruction Fuzzy Hash: 692168B4A157448EEB64CF7AC48838AFBF6EFC8310F28C42AD80D9B245D6746481CF61
                                                                            Function 0424DCD9 Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ac1233a5bc23c9b502bc8351336d52efca3ab765ed9f723b08b07ecfc6254a5
                                                                            • Instruction ID: d8c87c1ef396f0b73a3afff97c0a1fa478d8de95456a89834129b3ca46fdd7f1
                                                                            • Opcode Fuzzy Hash: 8ac1233a5bc23c9b502bc8351336d52efca3ab765ed9f723b08b07ecfc6254a5
                                                                            • Instruction Fuzzy Hash: F5112336B30104DBCB099B78E8045EDBBB2EFC8221F14886AE906D7711DA70AD11CBE0
                                                                            Function 0424767C Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a525f15cbeabcfec7ab4b708e0aef3487377bc01c333b5db05e4496917a3afd0
                                                                            • Instruction ID: 9d031ac9285be946f16ea0878ffb1fc37a486b8c7b9be8bd0dec75a78ee5c969
                                                                            • Opcode Fuzzy Hash: a525f15cbeabcfec7ab4b708e0aef3487377bc01c333b5db05e4496917a3afd0
                                                                            • Instruction Fuzzy Hash: 0511287A7101188FCF14DBACE8509EE77F6EBC8325B0440A5EA09DB750DB30EC058BA1
                                                                            Function 02A7F3D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction ID: e2cf40fdf6f855ddee87f4ade69c92f1d68c52e46a34beb38b68045625edebd0
                                                                            • Opcode Fuzzy Hash: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction Fuzzy Hash: 52219D76504240DFCF06CF10D9C4B16BF72FB88314F24C5A9D9494A656C33AD56ACF91
                                                                            Function 02A7F027 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction ID: ede5c81844b9a354ed3b95422edd9692669aa07ee27e28c73690511343367cf7
                                                                            • Opcode Fuzzy Hash: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction Fuzzy Hash: 3211DD76504280DFCB11CF10D9C0B15FFA1FB84328F28C6AAD8098BB56C33AD54ACB62
                                                                            Function 042479C3 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c988d0ec692de47113e27c74fcd7eda99ca277d6c28cb97dd626970f9cd8d78
                                                                            • Instruction ID: a650f99baadcfb6376dab1357707052d2920479473ed14bfb4a2d68c1e03febb
                                                                            • Opcode Fuzzy Hash: 3c988d0ec692de47113e27c74fcd7eda99ca277d6c28cb97dd626970f9cd8d78
                                                                            • Instruction Fuzzy Hash: A201D4317082445FC755DA69AC40A6F7BE9EFCA221700056DE509D7342DB21AD0287A5
                                                                            Function 02A7F4C7 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction ID: 4ce1c7044a6d6178e9a1dd013f2ed27dba33fec79ae6523e6823e0e084db701a
                                                                            • Opcode Fuzzy Hash: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction Fuzzy Hash: 7211E0B5604280CFCB25DF14D9D4B25FBB1FB44314F24C6ADC8498BA52C33AD54ACB92
                                                                            Function 0424BF10 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cad52b8e1a5a02962fc58868468c7dc6f02295c3a8daffcf90f9d283d66824a7
                                                                            • Instruction ID: 93c05340451309ecbf923e8055ef6f0e988838955ed8399ef64318ce3778e9d2
                                                                            • Opcode Fuzzy Hash: cad52b8e1a5a02962fc58868468c7dc6f02295c3a8daffcf90f9d283d66824a7
                                                                            • Instruction Fuzzy Hash: 67F0A4327193A41FD7154A79AC509B7BFEDDFC6620B0545ABF954C7351CA64CE0087A0
                                                                            Function 0424DE98 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 702052799ff424f19a2380e2e9154c5f476216ae9325abaf8b1a138436774ee4
                                                                            • Instruction ID: f16062854cc262e0ca59e6d8625c147186b6325216d50783986331adf679c497
                                                                            • Opcode Fuzzy Hash: 702052799ff424f19a2380e2e9154c5f476216ae9325abaf8b1a138436774ee4
                                                                            • Instruction Fuzzy Hash: D0015235B002249FCB159F74E848AAEBBF5FB89315F14406AE91AD3341DB36A911CB91
                                                                            Function 0424DFD0 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b4392c5dd1486d00e06c669f75f6f788851670b24ec03a1ff635d728553f6921
                                                                            • Instruction ID: b980d58734cf3d493a0a90f725c687f9e784bcd97634bd7bd699563846a70a56
                                                                            • Opcode Fuzzy Hash: b4392c5dd1486d00e06c669f75f6f788851670b24ec03a1ff635d728553f6921
                                                                            • Instruction Fuzzy Hash: 8F11F7352047548FC728DF75D05089AB7F6EF8921572489ADD48A8BBA0CB32F845CB50
                                                                            Function 02A7D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c25ccc49533d03dd47f9b73f5b20d29b42d162e4522bc1be032d358cf18a068
                                                                            • Instruction ID: 1fac5626f68ef7bfd524605d0ac7cd6331a3470005f20cc67db42407809766aa
                                                                            • Opcode Fuzzy Hash: 4c25ccc49533d03dd47f9b73f5b20d29b42d162e4522bc1be032d358cf18a068
                                                                            • Instruction Fuzzy Hash: 0201F771104B44EAE7104F25DDC0B66FFA8EF42324F088019DD0A1A246CB789446C6B5
                                                                            Function 02A7D007 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fc02972a8566ba484732e3deea242fbeacf7e6ce6f21e81ad7e521e6bd31a273
                                                                            • Instruction ID: a6de2c7e7cddd946272d16914e6b1798c819e4dabc234b30b63dded02afbe212
                                                                            • Opcode Fuzzy Hash: fc02972a8566ba484732e3deea242fbeacf7e6ce6f21e81ad7e521e6bd31a273
                                                                            • Instruction Fuzzy Hash: E1015E7100E7C09EE7128B258CA4B52BFB4DF53224F1D80CBD9888F1A3C3695849C772
                                                                            Function 04247958 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: deee2e88e59e78c0722c77aca2e7afec5af3eb17c607da999dfc01f3d0ec5d26
                                                                            • Instruction ID: 925f1486c17967d8ac6ff38d614f2eb08b896d2e7077de0d5a71dd2b54d07ad4
                                                                            • Opcode Fuzzy Hash: deee2e88e59e78c0722c77aca2e7afec5af3eb17c607da999dfc01f3d0ec5d26
                                                                            • Instruction Fuzzy Hash: 5EF0F6317093816FC7129B69AC4096F7FEAEFCA664700066EE14AD7352DF646C8387B1
                                                                            Function 04242C5C Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8bdebbde0ee179bf06236fa15e9b21c4329f6a897c3a04610ab6b005b49dbf2c
                                                                            • Instruction ID: 2f9c188abd152f2a910935e0f784dabfe09ad7422b173d735788c767ee21d4a1
                                                                            • Opcode Fuzzy Hash: 8bdebbde0ee179bf06236fa15e9b21c4329f6a897c3a04610ab6b005b49dbf2c
                                                                            • Instruction Fuzzy Hash: 8F01B534A09294DFCB06CBADD8A09EDBF70EF4A314F1540CBD1549B2A2C636A859CB65
                                                                            Function 02A7D9A7 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1781f8679310afa8f40dab0b5f9e7342521811392242c72d1ef63a4d77b3aac8
                                                                            • Instruction ID: 6829539652bf9dfec7726cbe9966004356cedc5f5a22a56f5522ccede1a955a4
                                                                            • Opcode Fuzzy Hash: 1781f8679310afa8f40dab0b5f9e7342521811392242c72d1ef63a4d77b3aac8
                                                                            • Instruction Fuzzy Hash: 1DF03776200A04AF97208F0AD984C23FBA9EFC4634319C15AE84A4B611C771EC41CEA0
                                                                            Function 04249158 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c5002c88ccfb9b8bfe32a7835e5cc170c5f3b098fe3795c6735d63ed51b03bb
                                                                            • Instruction ID: c29925164baa18f0b43f09267ba3dce6905412c1b7d803a94d8018816bc2152d
                                                                            • Opcode Fuzzy Hash: 1c5002c88ccfb9b8bfe32a7835e5cc170c5f3b098fe3795c6735d63ed51b03bb
                                                                            • Instruction Fuzzy Hash: 37F0E2716063144FC3249B78E8AD3DABFE5EB41320F10486AE65EC3241DB3829808BA1
                                                                            Function 0424F3CF Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8dcbc1acd62e248aeee12e33de4f6169f6476424389596e72172c51499e11775
                                                                            • Instruction ID: 46b6656a5312767bc8b786f3540f34bd513a7ae71571928eb510db75cde9bdcb
                                                                            • Opcode Fuzzy Hash: 8dcbc1acd62e248aeee12e33de4f6169f6476424389596e72172c51499e11775
                                                                            • Instruction Fuzzy Hash: A101E471D1075ADBCB14DFE4D9456EDBBB0FF99300F10472AE005A6A04EBB02685CB90
                                                                            Function 04248969 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d3d4ce4abd15d3bd98601c2b24cb7c9905ce5694fc4e54194ddfdd767632acf6
                                                                            • Instruction ID: bea5d2d6c2f75d06c2761c3197692c46334c6687688af26c712bdb283ec5a504
                                                                            • Opcode Fuzzy Hash: d3d4ce4abd15d3bd98601c2b24cb7c9905ce5694fc4e54194ddfdd767632acf6
                                                                            • Instruction Fuzzy Hash: 37F020363083A04BCB0A2375A8183ED3F96AFC6320F0400ABE60587282CE680D0687E6
                                                                            Function 02A7D998 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2245563348.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_2a7d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b3fddfcccb2d617bc4a80cb7f0cd0241f016f476890a8c069462426b19db473f
                                                                            • Instruction ID: 384cf29b6e62f2a2a23cbc0f9b19a7b20157cd780708ae2a4b5e497d55b202f1
                                                                            • Opcode Fuzzy Hash: b3fddfcccb2d617bc4a80cb7f0cd0241f016f476890a8c069462426b19db473f
                                                                            • Instruction Fuzzy Hash: 77F04F75100A40AFD721CF05CD84D23BBB9EF85624B198489A8494B712C730FC01CFA0
                                                                            Function 0424F3D0 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1c26b185e6528a8e0579208db9f22b564eb998245af5f2aab90f507d95f254b
                                                                            • Instruction ID: e0717251ef5e7f32228c4b8eaa65ea5cc0fc097ae449edfe9ff11a32a285dc09
                                                                            • Opcode Fuzzy Hash: d1c26b185e6528a8e0579208db9f22b564eb998245af5f2aab90f507d95f254b
                                                                            • Instruction Fuzzy Hash: C001EF71E1075ADBCB14DFE4D9446EEBBB0FF99300F20472AE005A6604EBB02686CB90
                                                                            Function 04247968 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 64181c2c20aae36e09f7e8d4334f09c64ef02fb1eaf8d984b2a422a50cf64840
                                                                            • Instruction ID: f320be05537aea17fecbfd68a6db37e4902f0f4a18775f947f474b5cbc767c47
                                                                            • Opcode Fuzzy Hash: 64181c2c20aae36e09f7e8d4334f09c64ef02fb1eaf8d984b2a422a50cf64840
                                                                            • Instruction Fuzzy Hash: 86F0A7317006149FD7149A6AE844A6F77EAEFC9671B00052DE20AD3340DF71AC4287A4
                                                                            Function 042490E7 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9fccf542f76db2349f81b7c0f3386f7516b9b15b6392dfaec03e0fd5137f7dd2
                                                                            • Instruction ID: e1b7ea4501ebd627e4221ff7cede952b6942c875abf09e3f0a78501997aaa783
                                                                            • Opcode Fuzzy Hash: 9fccf542f76db2349f81b7c0f3386f7516b9b15b6392dfaec03e0fd5137f7dd2
                                                                            • Instruction Fuzzy Hash: 34F0E2B57001049BE718BB65D0183AB7796DBC0314F10816AD90A47784CE352C01CBE1
                                                                            Function 04247697 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3200289f5422763e0857b73b86b81ce9eb6fcf23c73537018339c1dfc0d5a559
                                                                            • Instruction ID: c463425c520ee0acaf37fc72b50d3aa7b7a2fdfb5791756aef01351ffca38a8a
                                                                            • Opcode Fuzzy Hash: 3200289f5422763e0857b73b86b81ce9eb6fcf23c73537018339c1dfc0d5a559
                                                                            • Instruction Fuzzy Hash: 02F0A0793001188FCB14DB6CE800A9A7BE7EBC9351B0941A5EA19CB710DB20EC018B91
                                                                            Function 042490E8 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 274e8ef4dc919c2b9b2707c0034d4dc1ba5d31d7f4b4ba3e35701e7fcdf5b385
                                                                            • Instruction ID: 4b1e12133fa353f25ffdaa42f9192a81c14d10d17f62bd05d2f1dff2660256f3
                                                                            • Opcode Fuzzy Hash: 274e8ef4dc919c2b9b2707c0034d4dc1ba5d31d7f4b4ba3e35701e7fcdf5b385
                                                                            • Instruction Fuzzy Hash: BAF027B57001049BE708BB65D0183AB7797DFC0314F10816AC90A47384CE353C01CBD1
                                                                            Function 0424DE47 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e34b885bee2645a81fa45318af88685b98c61ee11987e9033f59f528bdbf010f
                                                                            • Instruction ID: 81e06ce615e67a90695f0a4b9aab7f05def2a78d7a2cdbfbb9330f4aa6a86f02
                                                                            • Opcode Fuzzy Hash: e34b885bee2645a81fa45318af88685b98c61ee11987e9033f59f528bdbf010f
                                                                            • Instruction Fuzzy Hash: 2BE06D353501018F83149B1DD454C66B7FAEFCE71531900A9F545CB720CA21EC01CB90
                                                                            Function 0424DE48 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6465618df59c8743d21ac4b811deb463801b9b4abb5712229acf596b9612e0f9
                                                                            • Instruction ID: 188a3477aaf349e28afc6c85027aec217de59433872be9005d385c50acbb0d3b
                                                                            • Opcode Fuzzy Hash: 6465618df59c8743d21ac4b811deb463801b9b4abb5712229acf596b9612e0f9
                                                                            • Instruction Fuzzy Hash: 7FE065353601018F83049B1DD498C66B7FAEFCE72532900A9E649CB320CA21EC01CB90
                                                                            Function 0424E92E Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 12a368e49e3e48086051c8ebb6a94133f727e2a06508804fa19da7a3e2f03d1b
                                                                            • Instruction ID: a458e0bbd9b20d3f8c67b9a65cb69365b43f0e7728b25d6cde04728011a838ff
                                                                            • Opcode Fuzzy Hash: 12a368e49e3e48086051c8ebb6a94133f727e2a06508804fa19da7a3e2f03d1b
                                                                            • Instruction Fuzzy Hash: 91F06D39A12114DFCB04CF98E999E9DFBB2FF88311B158155F905A7351CB31AD01CB40
                                                                            Function 0424E7B7 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9cf21168fb2f009b6c70ad4cc5c189672018e9458c249bee65b2eac371002da8
                                                                            • Instruction ID: 99c50b272987e04648d57ae0589d1c6df013678d9f3566146948e2aa0b6e9336
                                                                            • Opcode Fuzzy Hash: 9cf21168fb2f009b6c70ad4cc5c189672018e9458c249bee65b2eac371002da8
                                                                            • Instruction Fuzzy Hash: 93E02731F10319675F14559D9C515DFFB6DE7C8170F000177E605A3740D961241442E1
                                                                            Function 04249168 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a0b4aabd81daaa06634b3f875836948f5a26c5b247a3669443bc200874acbe1
                                                                            • Instruction ID: 00f6268433f8c230ffe2237255124ac92c0e35b8dfcb5938d71fd8934880e8d2
                                                                            • Opcode Fuzzy Hash: 2a0b4aabd81daaa06634b3f875836948f5a26c5b247a3669443bc200874acbe1
                                                                            • Instruction Fuzzy Hash: 72F0ED70A053149BD7649FB9E89D79A7BE5FB44350F004869E55ED7340DB3968808B90
                                                                            Function 0424954F Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 29d67014f7d84d4983e83285a0f149c2ad56ca91260adb61d16a213d2fa5072e
                                                                            • Instruction ID: 3835ae613f4df62102d613e0e61aac09999696e41aad07a8e96fdcfb6ebc0722
                                                                            • Opcode Fuzzy Hash: 29d67014f7d84d4983e83285a0f149c2ad56ca91260adb61d16a213d2fa5072e
                                                                            • Instruction Fuzzy Hash: 18D05EA673212727166C72BA68006BBA6CFCEC44E5B1A0136DA09C3642EC40EC1543F1
                                                                            Function 0424DC97 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f35cad28f4bedc2bb0f6438d89e990dda820e650fe5b20ff12941e1c523fc6c0
                                                                            • Instruction ID: c1c7bf2c833e6719373b2892b74f44d2c00d7103a4ad67c0b717ddde99c85e99
                                                                            • Opcode Fuzzy Hash: f35cad28f4bedc2bb0f6438d89e990dda820e650fe5b20ff12941e1c523fc6c0
                                                                            • Instruction Fuzzy Hash: F5E0C232B10621578626A63EF8109EF7BEBDFC5671310446FE109C7704DE68EC0247E5
                                                                            Function 04248800 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 900ccabb674f729b1de883ed51787ee35c1ed2adca1948079e4e6d17e0980cab
                                                                            • Instruction ID: 9e1aa9ad081214694eeb05365a48b95ff5d76af3c146a6109b4d38662226007a
                                                                            • Opcode Fuzzy Hash: 900ccabb674f729b1de883ed51787ee35c1ed2adca1948079e4e6d17e0980cab
                                                                            • Instruction Fuzzy Hash: 4FE0DF35A1820A8BCB08EBA4E8465EABFB0AB44314F004526ED1483740EA305990CBC1
                                                                            Function 04248978 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 318d1561875628af798ba9932806d6a5316e08de714214e82dc86b70720bd714
                                                                            • Instruction ID: 8265aec3eac3aab2f161f5ef51808e8cd2259775c706f3c2474a6779b9e026f0
                                                                            • Opcode Fuzzy Hash: 318d1561875628af798ba9932806d6a5316e08de714214e82dc86b70720bd714
                                                                            • Instruction Fuzzy Hash: 80E0DF3170422187CF0D3779A81C3AE7B9AEBC4725F00042AE60683380CF781C0183D9
                                                                            Function 04249550 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a59d7fec2c9a2ae1ff4e1d21fa72b742cece8c134d6ace88f5a5e27a9009d947
                                                                            • Instruction ID: 9fa960a4074e4047e3b7831f2b71389e43355dd0f5b0d681e6ee6daff0429546
                                                                            • Opcode Fuzzy Hash: a59d7fec2c9a2ae1ff4e1d21fa72b742cece8c134d6ace88f5a5e27a9009d947
                                                                            • Instruction Fuzzy Hash: B0D05E9673212727166C72BA58006BB96CFCEC44E5B1A0136DA09C3242EC40EC1543F1
                                                                            Function 0424DC98 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 39b9f3ba2f5dd562478e3c04d2d91af320c1ef6345784270162aaf4bc0f783ff
                                                                            • Instruction ID: dbd0e87b57db25bfc30b317fdbfaa0b93f86bbe3b320e376ebe8a6add95f810f
                                                                            • Opcode Fuzzy Hash: 39b9f3ba2f5dd562478e3c04d2d91af320c1ef6345784270162aaf4bc0f783ff
                                                                            • Instruction Fuzzy Hash: DAE0C232B10621478616A62EF81099F77EBDFC5671310446EE109C7304DE68EC0247D5
                                                                            Function 0424DCE8 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction ID: 7957788b2e08d75efbaa54a08d9b53ba649eae6cdde94f58121635a0da6fe74e
                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction Fuzzy Hash: ABE08631B30014978B0C9959D4104EDF7AADBCC220F04807ED90AA7340DA726915C6E1
                                                                            Function 0424F460 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 41bcda51da57b08f42adcb5e5eb598ac5dd96dfbbdd873f434b5b4f9b41444b2
                                                                            • Instruction ID: f1a8676dec34066330bd391efdeff9e83305f55e9f6012236d8156e2c5ba09ad
                                                                            • Opcode Fuzzy Hash: 41bcda51da57b08f42adcb5e5eb598ac5dd96dfbbdd873f434b5b4f9b41444b2
                                                                            • Instruction Fuzzy Hash: 8FE04870D101099F8740DF78984159AFFF4DB45100F10806DD90DD3301F6725642CFD1
                                                                            Function 0424AF97 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 24ea079c6cba630666b97b7353db1222f86327f0422638b30bf259ed46bb43e3
                                                                            • Instruction ID: db8208d3d52f5baed711edf2723a91d4e27845b8f344ebffcf9035bfae7e0395
                                                                            • Opcode Fuzzy Hash: 24ea079c6cba630666b97b7353db1222f86327f0422638b30bf259ed46bb43e3
                                                                            • Instruction Fuzzy Hash: E4D01236764166231B1CA0AF78205BBA6DFC7C5565359C03AF508C7704DC53DC0202F5
                                                                            Function 0424DC88 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20976c0a74005e93a9064f3d60c1d59267d92e3c7af760d4f6f037a6a88e28bf
                                                                            • Instruction ID: 785651fd23705178303d73df9d7a47d9cfa70c987a6c1ad597d47c492b748117
                                                                            • Opcode Fuzzy Hash: 20976c0a74005e93a9064f3d60c1d59267d92e3c7af760d4f6f037a6a88e28bf
                                                                            • Instruction Fuzzy Hash: F7C0121733E2A89BC70F46407C008F57B28DDC71B1B410093DB16C5C0151502B34C2F2
                                                                            Function 0424F470 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction ID: 62df5635db3c8eb053e3d59587d31821776dbd5d2f950fa040889ebdae28eb91
                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction Fuzzy Hash: 0FD06270D142099F8784DFADC94156EFBF4EB48200F5085AA8919D7301F7715612CBD1
                                                                            Function 04248747 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 461d3929ed77d491cdd082836c4cd1217bf1f1501317dd2cec7df6dc729bc00d
                                                                            • Instruction ID: 382ef58adcf2ae4bbf3d39b8fa97ca77527f88c71308782327370520e3efb2d0
                                                                            • Opcode Fuzzy Hash: 461d3929ed77d491cdd082836c4cd1217bf1f1501317dd2cec7df6dc729bc00d
                                                                            • Instruction Fuzzy Hash: 33D017349141198BCB0CABA4E81B5FDBB34FA10311F4001A9EA0792690EE342A4ACAC2
                                                                            Function 04248748 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be58b79da21b11ec0bfed18471710a95388c6a4d6f4f808b69ace3d3a1d9dcee
                                                                            • Instruction ID: 6fc9659ce06e64d32b04c0f08ce2d9010c80a4296d8aa95261b198c1d0e0dc4b
                                                                            • Opcode Fuzzy Hash: be58b79da21b11ec0bfed18471710a95388c6a4d6f4f808b69ace3d3a1d9dcee
                                                                            • Instruction Fuzzy Hash: 69D017349141198BCB0CABA4E81B5BDBB34FA10311F4001A9EA0792290EA342A4ACAC2
                                                                            Function 04248810 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bd31e5c19d465ca63b95a2e9eca35c40149f583e077d723a6ef943d6a00696f2
                                                                            • Instruction ID: ddb5489526221a58cdde7ce76a5c311c329902a9b633220887fd35dd53f603e6
                                                                            • Opcode Fuzzy Hash: bd31e5c19d465ca63b95a2e9eca35c40149f583e077d723a6ef943d6a00696f2
                                                                            • Instruction Fuzzy Hash: 83D01734A1820A8BCB18EFA4E84A97EBBB5EB84300F004169ED0993380EA306C01CBC1
                                                                            Function 04247933 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 43cbeb213623254d21f6f30f5d0b6b49ebfc5493aecc64db0ff069b3056de668
                                                                            • Instruction ID: 28909f6ce3e881da078465e1c110ae768df1d3738a798df98a801cd3780a7630
                                                                            • Opcode Fuzzy Hash: 43cbeb213623254d21f6f30f5d0b6b49ebfc5493aecc64db0ff069b3056de668
                                                                            • Instruction Fuzzy Hash: 60D0223014D3C54FC3078B3098100603F28EE8611636524CEE8494B1A3CA66A885CB60
                                                                            Function 0424EA57 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 752784755a6c075f7b21df827d7bf2fe0d9b99d00a37ee5bd8d5cab5926b129b
                                                                            • Instruction ID: 56aa92811218ba5457bae73490ebd58a3e8d5d42674baabcbaa0877603a7c52f
                                                                            • Opcode Fuzzy Hash: 752784755a6c075f7b21df827d7bf2fe0d9b99d00a37ee5bd8d5cab5926b129b
                                                                            • Instruction Fuzzy Hash: 22D09239B40228CFDB08CB98E895A9CF371FF84325F1181A5E51A97350CB32AD12CB40
                                                                            Function 04247EA0 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3cfb5b14b6565d7924a4b1907bcde8f6afa6cb028fc99e886f2833105c70f5eb
                                                                            • Instruction ID: 702127eed751cbdb14acf18d7798a27b43b4c5b71aa6dd353b5a4976b69b1f72
                                                                            • Opcode Fuzzy Hash: 3cfb5b14b6565d7924a4b1907bcde8f6afa6cb028fc99e886f2833105c70f5eb
                                                                            • Instruction Fuzzy Hash: BBC08C1050D3D00EEF0383308D620057F329E4350870E01C2D98397123CD188822C351
                                                                            Function 04247940 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4f7ba4d13270cdabe681a4a7661095db1222c0c97a123c90a8f054187bdcd680
                                                                            • Instruction ID: b17b1673cd53b1efb9c8eda5752ab01b177a8f6fefb61a57166aeeebd6587e2b
                                                                            • Opcode Fuzzy Hash: 4f7ba4d13270cdabe681a4a7661095db1222c0c97a123c90a8f054187bdcd680
                                                                            • Instruction Fuzzy Hash: 83B092341857488FC298AF76A804814732DAF4421538018A8E90E0B2A38E77E8C4CA44
                                                                            Function 0424BD4F Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.2246361217.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_9_2_4240000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2afcaa0ab5079ed79a7cfeae5862dbd3587884bac4d7923ec1851f0fc6036d21
                                                                            • Instruction ID: 783cc0bf0e63ec48ab6c2eb93e6c20c12ed5c429f9c52fa48fb3971a0aa47978
                                                                            • Opcode Fuzzy Hash: 2afcaa0ab5079ed79a7cfeae5862dbd3587884bac4d7923ec1851f0fc6036d21
                                                                            • Instruction Fuzzy Hash: 36A011282022200AAA080E338A082AA2AAAAA802C2F0880A2F000C0080CA2CC0082200

                                                                            Execution Graph

                                                                            Execution Coverage:6.9%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:3
                                                                            Total number of Limit Nodes:0
                                                                            execution_graph 20224 8c06f20 20225 8c06f63 SetThreadToken 20224->20225 20226 8c06f91 20225->20226

                                                                            Executed Functions

                                                                            Function 04B9B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 204 4b9b490-4b9b4a9 205 4b9b4ab 204->205 206 4b9b4ae-4b9b7f5 call 4b9acbc 204->206 205->206
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: {Y@n^$Y@n^
                                                                            • API String ID: 0-2719519199
                                                                            • Opcode ID: 3c5d31126c479de5ebbdf05de73bf70e9dbdf8b8abcc1acaac3b7ced84f7191b
                                                                            • Instruction ID: 825d63f98aacadf8242aac5f0e4793ecb80f207193135ee3e3a7c7e42eb0d1e8
                                                                            • Opcode Fuzzy Hash: 3c5d31126c479de5ebbdf05de73bf70e9dbdf8b8abcc1acaac3b7ced84f7191b
                                                                            • Instruction Fuzzy Hash: 70918D71F017659BEB19EFB588106AEBBF2EFC8610B40896DD116AB340DF346E018BD5
                                                                            Function 07682308 Relevance: 8.1, Strings: 6, Instructions: 635COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2331617026.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pi_k$pi_k$pi_k$pi_k$pi_k$|,ak
                                                                            • API String ID: 0-1153659919
                                                                            • Opcode ID: 51931f62cde95a55e66b98709f62e066edfaec45f0f7d00815e2abe19f0b4cce
                                                                            • Instruction ID: aecc897b10194adb50a152b272d1ccdb5231c0a65500deedaf1e27b39764d02f
                                                                            • Opcode Fuzzy Hash: 51931f62cde95a55e66b98709f62e066edfaec45f0f7d00815e2abe19f0b4cce
                                                                            • Instruction Fuzzy Hash: 462215B1B00306DFDB64AB79C4606AABBE1BF86211F1485BAD506DB751CB31CC45CBA2
                                                                            Function 08C06EDF Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 268 8c06edf-8c06ee1 269 8c06ee3-8c06f5b 268->269 270 8c06e6b-8c06e80 268->270 272 8c06f63-8c06f8f SetThreadToken 269->272 270->268 273 8c06f91-8c06f97 272->273 274 8c06f98-8c06fb5 272->274 273->274
                                                                            APIs
                                                                            • SetThreadToken.KERNELBASE(?,?), ref: 08C06F82
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2338277473.0000000008C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_8c00000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3254676861-0
                                                                            • Opcode ID: d5202def00fb21bb6908e8dcab9518e1bc9ef188d07cb132c7baad6cd5a8f081
                                                                            • Instruction ID: c6365c2a8c28ddac234390ceea013a5f80bb112b75c3ad021fc507ec3819036c
                                                                            • Opcode Fuzzy Hash: d5202def00fb21bb6908e8dcab9518e1bc9ef188d07cb132c7baad6cd5a8f081
                                                                            • Instruction Fuzzy Hash: BB21B871A043898FCB20CFADC884B8EBFF4EF99254F14845AD088A7241C734A959CFA1
                                                                            Function 08C06F20 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 277 8c06f20-8c06f8f SetThreadToken 279 8c06f91-8c06f97 277->279 280 8c06f98-8c06fb5 277->280 279->280
                                                                            APIs
                                                                            • SetThreadToken.KERNELBASE(?,?), ref: 08C06F82
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2338277473.0000000008C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_8c00000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3254676861-0
                                                                            • Opcode ID: 51625311041e966a910554f2abdcdfcba3a10f923ab7e69980eccd025d78178a
                                                                            • Instruction ID: 6ea436cd3e51529c97dc220442dea6256ecbbb876cbb0ccf62f4096acc214ca0
                                                                            • Opcode Fuzzy Hash: 51625311041e966a910554f2abdcdfcba3a10f923ab7e69980eccd025d78178a
                                                                            • Instruction Fuzzy Hash: 781125B1900749CFDB10DFAAC884B9EFBF8AF49320F148419D558A7350C774A944CFA1
                                                                            Function 07683CE8 Relevance: .6, Instructions: 573COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 428 7683ce8-7683d0d 430 7683f00-7683f1e 428->430 431 7683d13-7683d18 428->431 441 7683f28-7683f2b 430->441 442 7683f20-7683f22 430->442 432 7683d1a-7683d20 431->432 433 7683d30-7683d34 431->433 435 7683d22 432->435 436 7683d24-7683d2e 432->436 437 7683d3a-7683d3c 433->437 438 7683eb0-7683eba 433->438 435->433 436->433 439 7683d4c 437->439 440 7683d3e-7683d4a 437->440 443 7683ec8-7683ece 438->443 444 7683ebc-7683ec5 438->444 445 7683d4e-7683d50 439->445 440->445 446 7683f2c-7683f4a 441->446 442->446 447 7683f24-7683f25 442->447 448 7683ed0-7683ed2 443->448 449 7683ed4-7683ee0 443->449 445->438 451 7683d56-7683d75 445->451 452 76840ce-76840ea 446->452 453 7683f50-7683f55 446->453 447->441 454 7683ee2-7683efd 448->454 449->454 484 7683d85 451->484 485 7683d77-7683d83 451->485 465 76840ec 452->465 466 76840f4-7684112 452->466 456 7683f6d-7683f71 453->456 457 7683f57-7683f5d 453->457 460 7684080-768408a 456->460 461 7683f77-7683f79 456->461 463 7683f5f 457->463 464 7683f61-7683f6b 457->464 469 768408c-7684094 460->469 470 7684097-768409d 460->470 467 7683f89 461->467 468 7683f7b-7683f87 461->468 463->456 464->456 472 768407c-768407d 465->472 473 76840ee-76840f3 465->473 476 7684228-768424a 466->476 477 7684118-768411d 466->477 475 7683f8b-7683f8d 467->475 468->475 479 768409f-76840a1 470->479 480 76840a3-76840af 470->480 473->466 475->460 481 7683f93-7683fb2 475->481 501 768424c-7684253 476->501 502 7684254-768425d 476->502 482 768411f-7684125 477->482 483 7684135-7684139 477->483 486 76840b1-76840cb 479->486 480->486 524 7683fc2 481->524 525 7683fb4-7683fc0 481->525 487 7684129-7684133 482->487 488 7684127 482->488 491 76841da-76841e4 483->491 492 768413f-7684141 483->492 489 7683d87-7683d89 484->489 485->489 487->483 488->483 489->438 497 7683d8f-7683d96 489->497 494 76841f1-76841f7 491->494 495 76841e6-76841ee 491->495 499 7684151 492->499 500 7684143-768414f 492->500 506 76841f9-76841fb 494->506 507 76841fd-7684209 494->507 497->430 509 7683d9c-7683da1 497->509 503 7684153-7684155 499->503 500->503 501->502 504 768428b-7684295 502->504 505 768425f-7684281 502->505 503->491 511 768415b-768415d 503->511 513 768429f-76842a5 504->513 514 7684297-768429c 504->514 545 7684283-7684288 505->545 546 76842d5-76842fe 505->546 512 768420b-7684225 506->512 507->512 516 7683db9-7683dc8 509->516 517 7683da3-7683da9 509->517 518 768415f-7684165 511->518 519 7684177-768417e 511->519 522 76842ab-76842b7 513->522 523 76842a7-76842a9 513->523 516->438 539 7683dce-7683dec 516->539 526 7683dab 517->526 527 7683dad-7683db7 517->527 528 7684169-7684175 518->528 529 7684167 518->529 531 7684180-7684186 519->531 532 7684196-76841d7 519->532 534 76842b9-76842d2 522->534 523->534 535 7683fc4-7683fc6 524->535 525->535 526->516 527->516 528->519 529->519 540 7684188 531->540 541 768418a-7684194 531->541 535->460 536 7683fcc-7684003 535->536 561 768401d-7684024 536->561 562 7684005-768400b 536->562 539->438 557 7683df2-7683e17 539->557 540->532 541->532 559 768432d-768434a 546->559 560 7684300-7684326 546->560 557->438 580 7683e1d-7683e24 557->580 570 768434c-7684353 559->570 571 7684354-768435c 559->571 560->559 568 768403c-768407b 561->568 569 7684026-768402c 561->569 565 768400d 562->565 566 768400f-768401b 562->566 565->561 566->561 568->472 573 768402e 569->573 574 7684030-768403a 569->574 570->571 578 768435e-768437b 571->578 579 7684395-768439f 571->579 573->568 574->568 589 768437d-768438f 578->589 590 76843e5-76843ea 578->590 584 76843a8-76843ae 579->584 585 76843a1-76843a5 579->585 581 7683e6a-7683e9d 580->581 582 7683e26-7683e41 580->582 606 7683ea4-7683ead 581->606 594 7683e5b-7683e5f 582->594 595 7683e43-7683e49 582->595 587 76843b0-76843b2 584->587 588 76843b4-76843c0 584->588 592 76843c2-76843e2 587->592 588->592 589->579 590->589 602 7683e66-7683e68 594->602 598 7683e4b 595->598 599 7683e4d-7683e59 595->599 598->594 599->594 602->606
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2331617026.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7a69db1f8c88ab656a1c2bc4fe7a0e177fc311ee57450fa171fc75e20d90c2e
                                                                            • Instruction ID: ddf0dcf735140cb980d8a0e81e5d8aded4b9e2e385d83fb9ec79ab479b70a588
                                                                            • Opcode Fuzzy Hash: d7a69db1f8c88ab656a1c2bc4fe7a0e177fc311ee57450fa171fc75e20d90c2e
                                                                            • Instruction Fuzzy Hash: 5C1225B1B043469FDB61AF79C81176FBFA2AFC2611F14856AD5468B341DE32CC42CBA1
                                                                            Function 076817B8 Relevance: .3, Instructions: 330COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 990 76817b8-76817da 991 7681969-76819b5 990->991 992 76817e0-76817e5 990->992 1000 76819bb-76819c0 991->1000 1001 7681b04-7681b34 991->1001 993 76817fd-7681801 992->993 994 76817e7-76817ed 992->994 998 7681914-768191e 993->998 999 7681807-768180b 993->999 996 76817ef 994->996 997 76817f1-76817fb 994->997 996->993 997->993 1002 768192c-7681932 998->1002 1003 7681920-7681929 998->1003 1004 768184b 999->1004 1005 768180d-768181e 999->1005 1006 76819d8-76819dc 1000->1006 1007 76819c2-76819c8 1000->1007 1022 7681b44 1001->1022 1023 7681b36-7681b42 1001->1023 1010 7681938-7681944 1002->1010 1011 7681934-7681936 1002->1011 1008 768184d-768184f 1004->1008 1005->991 1028 7681824-7681829 1005->1028 1017 76819e2-76819e4 1006->1017 1018 7681ab4-7681abe 1006->1018 1012 76819ca 1007->1012 1013 76819cc-76819d6 1007->1013 1008->998 1014 7681855-7681859 1008->1014 1015 7681946-7681966 1010->1015 1011->1015 1012->1006 1013->1006 1014->998 1020 768185f-7681863 1014->1020 1024 76819f4 1017->1024 1025 76819e6-76819f2 1017->1025 1026 7681acc-7681ad2 1018->1026 1027 7681ac0-7681ac9 1018->1027 1031 7681865-768186e 1020->1031 1032 7681886 1020->1032 1034 7681b46-7681b48 1022->1034 1023->1034 1035 76819f6-76819f8 1024->1035 1025->1035 1029 7681ad8-7681ae4 1026->1029 1030 7681ad4-7681ad6 1026->1030 1037 768182b-7681831 1028->1037 1038 7681841-7681849 1028->1038 1043 7681ae6-7681b01 1029->1043 1030->1043 1044 7681870-7681873 1031->1044 1045 7681875-7681882 1031->1045 1039 7681889-7681911 1032->1039 1046 7681b4a-7681b50 1034->1046 1047 7681b7c-7681b86 1034->1047 1035->1018 1040 76819fe-7681a16 1035->1040 1041 7681833 1037->1041 1042 7681835-768183f 1037->1042 1038->1008 1063 7681a18-7681a1e 1040->1063 1064 7681a30-7681a34 1040->1064 1041->1038 1042->1038 1054 7681884 1044->1054 1045->1054 1048 7681b5e-7681b79 1046->1048 1049 7681b52-7681b54 1046->1049 1052 7681b88-7681b8d 1047->1052 1053 7681b90-7681b96 1047->1053 1049->1048 1060 7681b98-7681b9a 1053->1060 1061 7681b9c-7681ba8 1053->1061 1054->1039 1066 7681baa-7681bc1 1060->1066 1061->1066 1068 7681a20 1063->1068 1069 7681a22-7681a2e 1063->1069 1073 7681a3a-7681a41 1064->1073 1068->1064 1069->1064 1076 7681a48-7681aa5 1073->1076 1077 7681a43-7681a46 1073->1077 1079 7681aaa-7681ab1 1076->1079 1077->1079
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2331617026.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 191afc3a564515b2f1736e61c2fbdfa1719e526d852778da6b2729bcd2af2be3
                                                                            • Instruction ID: 357d5df6765df7e7baf9a8525b299193f66104ae1aa750e7a4c6837a3bb6eef7
                                                                            • Opcode Fuzzy Hash: 191afc3a564515b2f1736e61c2fbdfa1719e526d852778da6b2729bcd2af2be3
                                                                            • Instruction Fuzzy Hash: 2CB115B1B04309DFDB68AB79C4116AABBE6AF87211F14C17ED54A8B341DB31CD42C7A1
                                                                            Function 04B929F0 Relevance: .2, Instructions: 210COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1087 4b929f0-4b92a1e 1088 4b92af5-4b92b37 1087->1088 1089 4b92a24-4b92a3a 1087->1089 1094 4b92b3d-4b92b56 1088->1094 1095 4b92c51-4b92c61 1088->1095 1090 4b92a3c 1089->1090 1091 4b92a3f-4b92a52 1089->1091 1090->1091 1091->1088 1096 4b92a58-4b92a65 1091->1096 1097 4b92b58 1094->1097 1098 4b92b5b-4b92b69 1094->1098 1099 4b92a6a-4b92a7c 1096->1099 1100 4b92a67 1096->1100 1097->1098 1098->1095 1104 4b92b6f-4b92b79 1098->1104 1099->1088 1105 4b92a7e-4b92a88 1099->1105 1100->1099 1106 4b92b7b-4b92b7d 1104->1106 1107 4b92b87-4b92b94 1104->1107 1109 4b92a8a-4b92a8c 1105->1109 1110 4b92a96-4b92aa6 1105->1110 1106->1107 1107->1095 1108 4b92b9a-4b92baa 1107->1108 1111 4b92bac 1108->1111 1112 4b92baf-4b92bbd 1108->1112 1109->1110 1110->1088 1113 4b92aa8-4b92ab2 1110->1113 1111->1112 1112->1095 1118 4b92bc3-4b92bd3 1112->1118 1114 4b92ac0-4b92af4 1113->1114 1115 4b92ab4-4b92ab6 1113->1115 1115->1114 1119 4b92bd8-4b92be5 1118->1119 1120 4b92bd5 1118->1120 1119->1095 1123 4b92be7-4b92bf7 1119->1123 1120->1119 1124 4b92bf9 1123->1124 1125 4b92bfc-4b92c08 1123->1125 1124->1125 1125->1095 1127 4b92c0a-4b92c24 1125->1127 1128 4b92c29 1127->1128 1129 4b92c26 1127->1129 1130 4b92c2e-4b92c38 1128->1130 1129->1128 1131 4b92c3d-4b92c50 1130->1131
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 842367aef38d6e18525766a8ebdff33be3f8f0ac321dc6aeb2ac2d40ae078076
                                                                            • Instruction ID: 8334310a113364e343381da9fcf6545f5e1e5e3a963aa6ecbcc75ea754b1c37f
                                                                            • Opcode Fuzzy Hash: 842367aef38d6e18525766a8ebdff33be3f8f0ac321dc6aeb2ac2d40ae078076
                                                                            • Instruction Fuzzy Hash: 33916B74A00205DFCB19CF59C494AAAFBF1FF88310B248AA9D915AB365C735FC51CBA0
                                                                            Function 04B97728 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e6e71added2a739e2c4a0439f6d4b6d9ac84fe673ce54660809c2006994a9c19
                                                                            • Instruction ID: 4740a78782606e7c29c3c81cbc4ee54aa21ee07918e6be8c448e4af93a151382
                                                                            • Opcode Fuzzy Hash: e6e71added2a739e2c4a0439f6d4b6d9ac84fe673ce54660809c2006994a9c19
                                                                            • Instruction Fuzzy Hash: B8519D34714205DFDB14DB69D894A6A7BE6EFC9314B1484B9D509CB392EF35EC02CBA0
                                                                            Function 04B9BAC0 Relevance: .2, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11c32c6986f315776dff47d72c48792bc91b1b42ac571b5973d4507a05b9da54
                                                                            • Instruction ID: f3f65d274114c54991c84b100f16d5818a3011a2a4dbf4562aef7c407cc08f00
                                                                            • Opcode Fuzzy Hash: 11c32c6986f315776dff47d72c48792bc91b1b42ac571b5973d4507a05b9da54
                                                                            • Instruction Fuzzy Hash: 87611371E00248CFDB14CFA9D584B9DBBF1FF88310F1581AAE819AB254EB74AD41CB60
                                                                            Function 04B9BAB0 Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e8819a5390dc3c0b98ddb094a8546f057c7b91f23da4386808fe27abaa7937d8
                                                                            • Instruction ID: 6f92e1558aee13ddfb6b188e22b66cdb8a9000619b90a4421b1cee273a889f5c
                                                                            • Opcode Fuzzy Hash: e8819a5390dc3c0b98ddb094a8546f057c7b91f23da4386808fe27abaa7937d8
                                                                            • Instruction Fuzzy Hash: 16512471E04248DFDB14DFA9D484A9DBBF1FF88310F1580AAE819AB354EB34AC45CB60
                                                                            Function 07683CCE Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2331617026.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 695c86a8bf6505c0428a687de15afe396632b364c609de354a2f34cffc93c4e5
                                                                            • Instruction ID: 3dc0a617e39c7892698ea1c37e71e86ee0d212d6f27e20582066473ff944250b
                                                                            • Opcode Fuzzy Hash: 695c86a8bf6505c0428a687de15afe396632b364c609de354a2f34cffc93c4e5
                                                                            • Instruction Fuzzy Hash: 9941E4F1A003028FCB61AF26C40176E7BA2AF85A40F1886AAD8069F356D731DD45CBA1
                                                                            Function 04B96FC8 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d77054c0456b25fbd6ece08f91e5e2bb7b207c210a032430287803d12b16e726
                                                                            • Instruction ID: 8748c7ab0243f3f39c37e6a701fa8a09cbd1938125845593eae15a52d234bfdd
                                                                            • Opcode Fuzzy Hash: d77054c0456b25fbd6ece08f91e5e2bb7b207c210a032430287803d12b16e726
                                                                            • Instruction Fuzzy Hash: 46410A34B14205DFDB14DFA8C568AAABBF2EF8D311F1444A9E506AB391DE35AC01CB64
                                                                            Function 04B92B00 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7e9f457ef5101267d4128fe17e588a4877437ec670918affe1c41d63faf96799
                                                                            • Instruction ID: 556aeb4453302518516eec361e16f76efb5808ae2b94c2bb7729793909dc6465
                                                                            • Opcode Fuzzy Hash: 7e9f457ef5101267d4128fe17e588a4877437ec670918affe1c41d63faf96799
                                                                            • Instruction Fuzzy Hash: BE410674A00605DFCB09CF59C5989AAFBF1FF48310B1186A9D915AB764C736FC51CBA0
                                                                            Function 04B96FA0 Relevance: .1, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 936a30598ea17f1189f5f99ef732d8cef110c319b001dbbff7c3ca2a7f63266b
                                                                            • Instruction ID: 235ee21b56386c72ec1dc36c31e67cd5c4c4f404e44f9e8bcec6deaea4711c22
                                                                            • Opcode Fuzzy Hash: 936a30598ea17f1189f5f99ef732d8cef110c319b001dbbff7c3ca2a7f63266b
                                                                            • Instruction Fuzzy Hash: 2A414C34A18245DFCB15DBA8C5589AABBF1EF8E311F1880A9D441AB392DB31DC42CB61
                                                                            Function 04B9C388 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff12c748feedda9ab4e3d8ee67e4b80b7f9c6e70d642a79b3f43d86e1e4ba2b8
                                                                            • Instruction ID: 436e7daef545a51db3be1ff24cea69add0f58b149a3a4ab4b187f2e90c1caa46
                                                                            • Opcode Fuzzy Hash: ff12c748feedda9ab4e3d8ee67e4b80b7f9c6e70d642a79b3f43d86e1e4ba2b8
                                                                            • Instruction Fuzzy Hash: 6E316D353006019FD715DB78E854BAABBE6EBC9211F0085BDD60ACB365EF71AC05CBA1
                                                                            Function 04B9AE60 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 197065f05c96e02a948c6f360cf438eabfac7dd5b89ff3cf74eebd85245738f9
                                                                            • Instruction ID: 6c0147b9af9afb637b311380c66fbe7283f57d45eb34dc67e232c0d36e52101f
                                                                            • Opcode Fuzzy Hash: 197065f05c96e02a948c6f360cf438eabfac7dd5b89ff3cf74eebd85245738f9
                                                                            • Instruction Fuzzy Hash: 7B316A70E006099FDF14DFA9D4947AEBBF6EF89300F1580A9E505EB354EA34AC418BA5
                                                                            Function 04B9AD28 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 22145194f1cd617739b68a5ecbffb5ceb3a621a60a479ad1a078da3a42f6f9e1
                                                                            • Instruction ID: 82bfea67768e2582145b75c9d4ee90cebd6659e16d6b29157d5f9032a1c66c4b
                                                                            • Opcode Fuzzy Hash: 22145194f1cd617739b68a5ecbffb5ceb3a621a60a479ad1a078da3a42f6f9e1
                                                                            • Instruction Fuzzy Hash: 593161B8A002459FEB04EBA4D854AEE7BB6EF89300F1184B9D515AF395DB35AD01CF60
                                                                            Function 04B9AE70 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5fd06003a7b5adfa1022f5de493ef2d66e01a2e4e1db9cfcb0bce32e4e5587db
                                                                            • Instruction ID: da3e6b3314d8f26ba3ec50f08b6c1b08c0bcdad38fa3124cc830611b282793c5
                                                                            • Opcode Fuzzy Hash: 5fd06003a7b5adfa1022f5de493ef2d66e01a2e4e1db9cfcb0bce32e4e5587db
                                                                            • Instruction Fuzzy Hash: 57314A70E006098FDF14DFA9C4947AEBAF6EF8D300F1580B9E506EB354EA34AC018B65
                                                                            Function 04B9AF98 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1b4d449e74a2ca6a72a5b90d5d3263e0e6dccdb5e628baf2d6630805702f1a6
                                                                            • Instruction ID: fb262def1dded4dd1235f4c9f19bc0a2c5196f7a5f24560aa26247df39e9c430
                                                                            • Opcode Fuzzy Hash: e1b4d449e74a2ca6a72a5b90d5d3263e0e6dccdb5e628baf2d6630805702f1a6
                                                                            • Instruction Fuzzy Hash: 6321BC71A043488FDB14DFAED40479EBBF6EF89320F14846AD008E7340CB74AD058BA5
                                                                            Function 04B9AD38 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4e6614c1922c065080e3e25d5a019cf42d81d45e85c3d6001d922a88fad18727
                                                                            • Instruction ID: 01ee152987d01df8d0557268f1aa569ce0cb776a8ab456d17d104480a19cf1bb
                                                                            • Opcode Fuzzy Hash: 4e6614c1922c065080e3e25d5a019cf42d81d45e85c3d6001d922a88fad18727
                                                                            • Instruction Fuzzy Hash: E63126B8E002059FEB44DFA4D854AFE7BB6EF88300F118479D515AB394DB759D418F50
                                                                            Function 0311F3D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 74f15a8a4fb9917f0df112666c22bf7a5c047b93c8563820c6202223c92da600
                                                                            • Instruction ID: d78987f8a6b49530ec550e1b75ead6f8cb7fbde8e18d9dc056fdde50ae270ece
                                                                            • Opcode Fuzzy Hash: 74f15a8a4fb9917f0df112666c22bf7a5c047b93c8563820c6202223c92da600
                                                                            • Instruction Fuzzy Hash: 67210272608200EFCB05DF10D9C0B26BB65FB8C314F24C6ADE9090A656C336D467DBA2
                                                                            Function 04B993F0 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 483c26490dd7670ae69aa75dcd819aaf1a6ecd5f8ae4ab755cb3fc82163ef250
                                                                            • Instruction ID: 487e912bd473ad14f798f8641cde8b85aa0bd383e960d8551940fc81ddd16dd3
                                                                            • Opcode Fuzzy Hash: 483c26490dd7670ae69aa75dcd819aaf1a6ecd5f8ae4ab755cb3fc82163ef250
                                                                            • Instruction Fuzzy Hash: 31317AB19057448EDBA0CF6AC08878AFFF2EF89310F2884ADD45D9B315D774A885CB61
                                                                            Function 0311F02C Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fcaae061f1ab0c943543b6c2f9cb4b0baa608031b07efe029496b3125de6a151
                                                                            • Instruction ID: 32dd15771798208a64bff5d72da7f7f9407976fad730dc2bfb1c6454a50531d1
                                                                            • Opcode Fuzzy Hash: fcaae061f1ab0c943543b6c2f9cb4b0baa608031b07efe029496b3125de6a151
                                                                            • Instruction Fuzzy Hash: 83210775604244EFDB14DF24D9C0B56BB66FB88314F24C6BDD90A4B242C376D457CA61
                                                                            Function 0311F4CC Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35ca93ee3197ffe107ab3ed366c64033f6b1fd867369349b07990ec8cda0aa8c
                                                                            • Instruction ID: 07f7860834865cbad63541ef999cc59eda077f3292d13fa895ac6c3fa9e13c11
                                                                            • Opcode Fuzzy Hash: 35ca93ee3197ffe107ab3ed366c64033f6b1fd867369349b07990ec8cda0aa8c
                                                                            • Instruction Fuzzy Hash: 782127B1604340DFDB54DF24E5C4B66BBA5EB88318F24C6BDD9094B346C33AD897CA62
                                                                            Function 04B99400 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6cfab64a24233fb2bb35bde1f5c3b59e7ac999e799a168d01b268303ea824687
                                                                            • Instruction ID: 6fccff90e4619c429bf23d3beebc544018a9683a971562c7acf8c003bf186224
                                                                            • Opcode Fuzzy Hash: 6cfab64a24233fb2bb35bde1f5c3b59e7ac999e799a168d01b268303ea824687
                                                                            • Instruction Fuzzy Hash: 692159B19017448EEBA0CF6AC08838AFBF2EF89310F28C46DD85D97345D674A8818B61
                                                                            Function 04B97664 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e5d5533880b82e953c05c9a5f0b94591188ce679de11a7efc0b7ec08d4e0d11
                                                                            • Instruction ID: 1bf7d42eb4357b794ea92211f489f5e637a10f38e4def805e20ab8048015c71d
                                                                            • Opcode Fuzzy Hash: 0e5d5533880b82e953c05c9a5f0b94591188ce679de11a7efc0b7ec08d4e0d11
                                                                            • Instruction Fuzzy Hash: 1811D739700118CFCF14EBA8E8549DE77F6EBC8325B1540A5E909DB315DB31ED168BA0
                                                                            Function 07681990 Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2331617026.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_7680000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fda0775f2bde2fa8269d3609295dfe74f3fead46429262e705ead5d4f016eb6b
                                                                            • Instruction ID: f889312901ee68a508e134cf0bddac780d9177e78d72ae07c53f3909f7c124d4
                                                                            • Opcode Fuzzy Hash: fda0775f2bde2fa8269d3609295dfe74f3fead46429262e705ead5d4f016eb6b
                                                                            • Instruction Fuzzy Hash: ED1182F1A0030ADFDB68EF69C584BAAB7E1EB46311F04826ED51A9B711D730D942CB91
                                                                            Function 0311F3D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction ID: da30574bcaf6069051ad81a3031c454f7d9139ea9384a9b501af854b0dd11788
                                                                            • Opcode Fuzzy Hash: 79743b7ef64e79def9027e5355c367a0ea036754744aa2e52695c6db9a72276b
                                                                            • Instruction Fuzzy Hash: 1821CD76504240DFCF06CF10D9C0B16BF72FB88314F28C6A9D8494A656C33AD46ADF92
                                                                            Function 04B9DD0F Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9283de76b59570a198437dc96a085ab0240bcb47233941a8b9e71498f53b55e5
                                                                            • Instruction ID: 61b1cfd45d453c6629681cf40bcbd7a2d940e0e94511db20aff47b02034ba011
                                                                            • Opcode Fuzzy Hash: 9283de76b59570a198437dc96a085ab0240bcb47233941a8b9e71498f53b55e5
                                                                            • Instruction Fuzzy Hash: 6701D6317046449BCB15AB6EE8105DABBFAEFCA220B1484FFD41997341DA25AD0687A1
                                                                            Function 0311F027 Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction ID: 69a762382de17a7e870f38e7837496c4af6274691115a301c843c6a5135e7af2
                                                                            • Opcode Fuzzy Hash: 0e074c66091f42264c338087dd8e67e8934f5c9a6a74f81f19a2831112881f99
                                                                            • Instruction Fuzzy Hash: 1811DD75504280DFCB11CF10D5C0B15FFA2FB88324F28C6AAD8094B656C33AD45ACB62
                                                                            Function 04B9BCE0 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: df8839616f786ac1ec9dc009b0dba0ec7a41c27c9eedb871ccfab36208caf1ed
                                                                            • Instruction ID: fc074f9b66d62877f7cf523914817a023fd91e98820cb95294cdb7f7b979e9ea
                                                                            • Opcode Fuzzy Hash: df8839616f786ac1ec9dc009b0dba0ec7a41c27c9eedb871ccfab36208caf1ed
                                                                            • Instruction Fuzzy Hash: 8A11AD312083449FDB18DB76D494AAA7FF4EF4A210F1488EED08ACB6A2CB20BC41C700
                                                                            Function 0311F4C7 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction ID: e7007d7dcdc781a226776bb3557e4cdeb3bebb68fffcbb905951762bb4d1548e
                                                                            • Opcode Fuzzy Hash: 2c12bdcfc7d53356236296e6c9884e8d6b07be3f84c1f820c8cafd9167f572e4
                                                                            • Instruction Fuzzy Hash: 5F11CAB5904280CFCB15DF24D5C4B25FBA1FB88314F28C6ADC8498B656C33AD45BCB92
                                                                            Function 04B9DC98 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1ffd326487751e75a9c5e5145c18578a00b8310bd139fc38e87099e1bd63f311
                                                                            • Instruction ID: 3f412b8ce34a6a0ea1b58c03a9ff0e6f1c31f787468fdfc43b947befd96db191
                                                                            • Opcode Fuzzy Hash: 1ffd326487751e75a9c5e5145c18578a00b8310bd139fc38e87099e1bd63f311
                                                                            • Instruction Fuzzy Hash: B8110935204754CFC728DF75D05089ABBF6EF8921572489ADD48A8BBA0CB32FC45CB50
                                                                            Function 04B9DF20 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eeaea164a3b258600a195bb116873b0392e5aa1d2cbf5887b8864bf5b6be9367
                                                                            • Instruction ID: b33714c5ac9138b17629093d6b243ee81e7148af56fdff814c5205e2d337748b
                                                                            • Opcode Fuzzy Hash: eeaea164a3b258600a195bb116873b0392e5aa1d2cbf5887b8864bf5b6be9367
                                                                            • Instruction Fuzzy Hash: 2A015235B016149FCB219F75E848AAEBBF6FB88315F1440ADE51AD3242DB31A911CB91
                                                                            Function 04B9BF10 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0ac73f42c01274372f3d5b56fbde7f0a2474d1d016e01fc0e8235465eac4c1e
                                                                            • Instruction ID: e84e116755e9260ff9ab9a14dd6b22ac941eb1f96a2be9f172bc52d7cffbc610
                                                                            • Opcode Fuzzy Hash: b0ac73f42c01274372f3d5b56fbde7f0a2474d1d016e01fc0e8235465eac4c1e
                                                                            • Instruction Fuzzy Hash: F201A2313092915FD7018A7998509AB7FE8EF86310B1540BFF840C7262C6648D04CB60
                                                                            Function 0311D01D Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 805d5193edda1dd66f5de8cfa953f33d96ffba831a34720e43eed010ff2f907a
                                                                            • Instruction ID: d650ca99770f88cc040fbb1d4db3d3a2778c4d6e979928a47733213b26d9c06e
                                                                            • Opcode Fuzzy Hash: 805d5193edda1dd66f5de8cfa953f33d96ffba831a34720e43eed010ff2f907a
                                                                            • Instruction Fuzzy Hash: 2801F231408340EBE7108E29ED84BB7FF98EF4A360F18C06AED480A246C7789885C6B1
                                                                            Function 0311D007 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f8ccbeff751c8c010c68ba3e5531f5d412a7a4d1f367db4b7676675560f9b3e
                                                                            • Instruction ID: 4de017eeb792c5a52e9c8ddcd4b771160b596b2763d15af9e212027c47b3ca43
                                                                            • Opcode Fuzzy Hash: 2f8ccbeff751c8c010c68ba3e5531f5d412a7a4d1f367db4b7676675560f9b3e
                                                                            • Instruction Fuzzy Hash: BC012D6240E3C09FD7128B25D894B62BFB49F47224F1D80DBD9888F1A7C2695848C772
                                                                            Function 04B9DD60 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8793277944a882c9a7122d3192437dccc14ae7ed89b51858558ec762808b2a49
                                                                            • Instruction ID: 2d52d2d9c14868314e4b6390d9bab8e11929a4e48aa1deb173c3ec49623793eb
                                                                            • Opcode Fuzzy Hash: 8793277944a882c9a7122d3192437dccc14ae7ed89b51858558ec762808b2a49
                                                                            • Instruction Fuzzy Hash: 2E01A235B00604DBCF12AB75E8454ECBBB5FF99310F1445BAD40697311DA307D12DB60
                                                                            Function 04B97940 Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aa88cabf358be913e2385e87176e16d02dddbbe24dc46abd2c2c9993db5dcd62
                                                                            • Instruction ID: dffd8a4fff959eaab458749595a7a64c66dcf4f22f0e2a1bc6a0708f35119404
                                                                            • Opcode Fuzzy Hash: aa88cabf358be913e2385e87176e16d02dddbbe24dc46abd2c2c9993db5dcd62
                                                                            • Instruction Fuzzy Hash: 30F028313093509FC7128768E840A6F7FF4EF8A22570005AED04ADBA92CF645C06C7A1
                                                                            Function 04B990D8 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e88f5e4a0d4f6b7382d13608d34b3002c7f4d94868dc764557da6f069bb9aee
                                                                            • Instruction ID: 08763def9ca3e1725d6ce8fa185271bc2bde7abeb9b47a1fc05ec60e513669ca
                                                                            • Opcode Fuzzy Hash: 3e88f5e4a0d4f6b7382d13608d34b3002c7f4d94868dc764557da6f069bb9aee
                                                                            • Instruction Fuzzy Hash: 7001FF356042409FE711AF38D0143AB7BB1EFC7318F5181AAC8068B396CE396C06DBA0
                                                                            Function 0311D9A7 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a697011d41446ef55d305b73cfe146015173e1a9818653efa4b7e432308a0df0
                                                                            • Instruction ID: 078c14f4483fa05c1532e37ac715d31008ae0f952ad9d96d49d2e1b9ade0e0e9
                                                                            • Opcode Fuzzy Hash: a697011d41446ef55d305b73cfe146015173e1a9818653efa4b7e432308a0df0
                                                                            • Instruction Fuzzy Hash: B1F04976200614AFD720CF0AD984C23FBADEFC4770319C56AE84A8B612C731EC41CAA0
                                                                            Function 04B9DEC1 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4227e1f24ebe5897e1d9cd0f54fe11da80c3c2ae9ce38552bfb42aa250e0d057
                                                                            • Instruction ID: 9d3f06532850734130b64f894955dd49bfe9e824c4be7d988be9604a4666f00a
                                                                            • Opcode Fuzzy Hash: 4227e1f24ebe5897e1d9cd0f54fe11da80c3c2ae9ce38552bfb42aa250e0d057
                                                                            • Instruction Fuzzy Hash: FBF017343056518FC711AB2DD45896ABBF6EFCB71572A04EAE445CB772DA60EC02CB50
                                                                            Function 0311D998 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2296970501.000000000311D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0311D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_311d000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c118d02cdf905dadb8e4c1e9cd0035dd5c99e80bbaacea5387ed8a1ee54d7e4
                                                                            • Instruction ID: ed9fee96c2286bdef508f4ece6d0e1030f9f0a500e48c2e3652dbe87bc5f118a
                                                                            • Opcode Fuzzy Hash: 0c118d02cdf905dadb8e4c1e9cd0035dd5c99e80bbaacea5387ed8a1ee54d7e4
                                                                            • Instruction Fuzzy Hash: E3F06275100A50AFD715CF05CD84D23BBB9EF89720B198499E8494B312C730FC41CF60
                                                                            Function 04B99158 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9fb967fa8bea1299730f0cf472b91f4ea38ade1a6633689ec5bf23a0334259b9
                                                                            • Instruction ID: 05259812efdf154da509813805d53af48aba4dcffa07dcbb8d52a73503ee4c1e
                                                                            • Opcode Fuzzy Hash: 9fb967fa8bea1299730f0cf472b91f4ea38ade1a6633689ec5bf23a0334259b9
                                                                            • Instruction Fuzzy Hash: 8AF090705053509FD361AB78D4A939ABBF4FB01310F4588AAD14EC7242DB346C81CB60
                                                                            Function 04B97950 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85a08df713b4efa4007583e561d023aa9bd1069b12441e54af8bf32d254b6c3a
                                                                            • Instruction ID: fa9fa86e92423110a4152d78dca97e67cc0f5c40a8b6b6ac66d2b34c7333f2b2
                                                                            • Opcode Fuzzy Hash: 85a08df713b4efa4007583e561d023aa9bd1069b12441e54af8bf32d254b6c3a
                                                                            • Instruction Fuzzy Hash: D5F0A7317007159FDB149A59E884A7F77E9EB89275B00093DE14AD3B40DF34AD0287A4
                                                                            Function 04B9767F Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0ab521643bb4b5cf41ac668a56781f845e5db9f4f68f3ad04d4f3dceef494ee
                                                                            • Instruction ID: e500a2843d6c905b11e93eae23995968dffefe25e05e2a2ba3e7e07d50919d52
                                                                            • Opcode Fuzzy Hash: a0ab521643bb4b5cf41ac668a56781f845e5db9f4f68f3ad04d4f3dceef494ee
                                                                            • Instruction Fuzzy Hash: 9CF03039710214CFDB14EBADD85099A7BF2EBC975571941A8E909CB315DF24DC024B90
                                                                            Function 04B990E8 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dce044d1ea24eb9c0752ce61bda00c09f727a8337d1255ff515cf27ce3760e27
                                                                            • Instruction ID: 475c68d5ef0974593f18e840cc34b1cbee1347e8b4c82488a5b92d299bec1d0b
                                                                            • Opcode Fuzzy Hash: dce044d1ea24eb9c0752ce61bda00c09f727a8337d1255ff515cf27ce3760e27
                                                                            • Instruction Fuzzy Hash: 70F027796002048BE314AF68D0183EF77A6DBC6718F10816EC91A4B385CE396C42CBE0
                                                                            Function 04B9DED0 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d88de71d6d97a656053963230b1d4fecae6390e21de0b5180568a3a71daeaccf
                                                                            • Instruction ID: 3138daff6c35b96fefb48a26d3e6b66cdd7c20a1c8214d947432a80be87a0b13
                                                                            • Opcode Fuzzy Hash: d88de71d6d97a656053963230b1d4fecae6390e21de0b5180568a3a71daeaccf
                                                                            • Instruction Fuzzy Hash: 11E0E5353106118F8B109F1ED498D66BBEAEFCE62532904AAE549DB321DA61EC018B90
                                                                            Function 04B9AF88 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e350d892e4aa29d39771d25cc6861ab4d511429bfe5c47e6ca02e9c2101929e
                                                                            • Instruction ID: 6e94ef319826709f8c72d9e80b0c64798d63b59cf20175e052833837e25eb1d0
                                                                            • Opcode Fuzzy Hash: 5e350d892e4aa29d39771d25cc6861ab4d511429bfe5c47e6ca02e9c2101929e
                                                                            • Instruction Fuzzy Hash: ACE092213093D15B8B16A63DA850565BBB7EAD722030940FBE045CF252ED155C02C3A0
                                                                            Function 04B98973 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1f22f626c11a75d4ce1400ab1fc74ca73f70ed620d8ada9741b2c460f8e94c50
                                                                            • Instruction ID: 4bed3034604f992d5ce732a0d270630b7adb06c1274252c3b5b2213cb93ec613
                                                                            • Opcode Fuzzy Hash: 1f22f626c11a75d4ce1400ab1fc74ca73f70ed620d8ada9741b2c460f8e94c50
                                                                            • Instruction Fuzzy Hash: 71E0223570060097CB096734D01C6AEBA66EBC8721F04006EEA0683341CF25580193D5
                                                                            Function 04B99549 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cbae9d7c4a4aec05d0a7e251a910059611f9a04feac5cfce4e31434a7bb648df
                                                                            • Instruction ID: f5bd482cdc6d563fe85c9b4af4590bb0cb10720c391ee3d4cee6115d29a13ef5
                                                                            • Opcode Fuzzy Hash: cbae9d7c4a4aec05d0a7e251a910059611f9a04feac5cfce4e31434a7bb648df
                                                                            • Instruction Fuzzy Hash: 4EE012227111152B6E98BAFA98907BB75CECBC749970600BED905C7351ED50EC0283F1
                                                                            Function 04B99168 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 41c1c511793151588377ee9b97e20c306ae597e5833f74201038ea1416df58f2
                                                                            • Instruction ID: 95aebb67b62cd954da720b5e82bdd457ac4f505d236e53fbc654a23be48ca2a7
                                                                            • Opcode Fuzzy Hash: 41c1c511793151588377ee9b97e20c306ae597e5833f74201038ea1416df58f2
                                                                            • Instruction Fuzzy Hash: BDF06D709007049BD760DFB8D49C79ABBE5FB44320F40446DE61EC7340DB356880CB90
                                                                            Function 04B98978 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 854b525d5f40be72c817a0c8a1309e420806fa9e0781c6028ffb55ce34c6f657
                                                                            • Instruction ID: 7a3dbf1613e8c2853c21f7bfc414e1eb67d55c6adabee8b67de0921322850742
                                                                            • Opcode Fuzzy Hash: 854b525d5f40be72c817a0c8a1309e420806fa9e0781c6028ffb55ce34c6f657
                                                                            • Instruction Fuzzy Hash: 56E0DF35304A1087CB097774A42C6AEBAA6EBC8724F05006EDB1683341CF68580193D9
                                                                            Function 04B99550 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9f4950fa8863b071e190f8279f00851b835b730207e1708a7e281f81057286d9
                                                                            • Instruction ID: c447561529a8045eb6a0deb1e3ac7b6feb68f1fca95395f887933bb4e76025f6
                                                                            • Opcode Fuzzy Hash: 9f4950fa8863b071e190f8279f00851b835b730207e1708a7e281f81057286d9
                                                                            • Instruction Fuzzy Hash: 65D09E52761225275ED875BA58506BBB5CECBC74A970601BEDA09C7351ED44EC0243F1
                                                                            Function 04B9DD20 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b18dd881ddcce7ccab7ce33a0ea168975cadaca83030199f4b674e534cc44139
                                                                            • Instruction ID: 193ac80f244b054d3ca47b12bc64834802f79359487bb4e3676357fe713f615c
                                                                            • Opcode Fuzzy Hash: b18dd881ddcce7ccab7ce33a0ea168975cadaca83030199f4b674e534cc44139
                                                                            • Instruction Fuzzy Hash: F1E08C36700B10478621AA2EA81099FBAEEDFC967135489BEE01A87304DE68ED0247A5
                                                                            Function 04B9DD70 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction ID: 746f81db2ac957bca3407893f4f538e8ba0f9656bfdc43c9cab41136396e15d7
                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                            • Instruction Fuzzy Hash: 2BE08631B00018978F0896AAD4504D9F7A9DBCC220F04847ED90AA7340DA326D168691
                                                                            Function 04B98739 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                            • Instruction ID: 860143a0b2041c2659a30fec10c9e6aa6e1e774e2c04eba6182505c852703db9
                                                                            • Opcode Fuzzy Hash: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                            • Instruction Fuzzy Hash: 4BE01231815209DFCB09FFB4D46A4A9BB34FB12301F4101FDD51387251EA311A46CB90
                                                                            Function 04B98800 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 424fd534fae30e5731a1e481ff8f549db9c2ee7bce5d25f0013f3d80ea5ab011
                                                                            • Instruction ID: 48324d98ceaf12e0cf43329764b111b4551643ba40676f8af410f3704b770d4c
                                                                            • Opcode Fuzzy Hash: 424fd534fae30e5731a1e481ff8f549db9c2ee7bce5d25f0013f3d80ea5ab011
                                                                            • Instruction Fuzzy Hash: 70E09A34A0820A9BC704EFA8D066469FFB0FB06300F0285A9DD0A87341E6305C41CB80
                                                                            Function 04B9F460 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff6ce95bfe13e9e1baff654b07f80d1338b229f01a3f57cf6c641277a1d26490
                                                                            • Instruction ID: abd062c5b11042ba03d3c5c2a0db9d1f09ce14b965b47041713bccacf5de6653
                                                                            • Opcode Fuzzy Hash: ff6ce95bfe13e9e1baff654b07f80d1338b229f01a3f57cf6c641277a1d26490
                                                                            • Instruction Fuzzy Hash: D8E01270D042499F8B40DFBC84815A9FBF4EF55200B60C4A99909D7301E6329A12CF91
                                                                            Function 04B9F470 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction ID: 0ba9fdaf4ea82ba1c5cc33d26d0a1a06fb61d2ee07d4bfd0c1b068754a0dd332
                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                            • Instruction Fuzzy Hash: 9AD067B0D042099F8B80EFADC94156EFFF4EB48210F6085BA8919E7301F7329A12CBD1
                                                                            Function 04B98748 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                            • Instruction ID: 78b480e9134b1518ce2b5e9c0993d6e004057aa1b70cbd2a818b1c1693f1008d
                                                                            • Opcode Fuzzy Hash: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                            • Instruction Fuzzy Hash: 1DD017308051098BCB18ABA4E82B4BDBB74FA00301F4111ADD91752291EE322A4ACAC0
                                                                            Function 04B98810 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 02e0890d6c5bc3b2b5bba1d0a62abea69cad36e0ff0c2fd8e85fc4ceaddb3df7
                                                                            • Instruction ID: bc2955b76aaeeecf049dd92717399156b90233e54a637be29b4ef845573457d9
                                                                            • Opcode Fuzzy Hash: 02e0890d6c5bc3b2b5bba1d0a62abea69cad36e0ff0c2fd8e85fc4ceaddb3df7
                                                                            • Instruction Fuzzy Hash: 2ED01234A1420A8B8B14EFA4D45687EBBB5E745300F0041ADDD0693344EA305C01CBC1
                                                                            Function 04B9791A Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9d24180e80cd50ec8ab042f2d01b671e0e14006396699a115671145cbd4bf2d0
                                                                            • Instruction ID: 9fd9e7da8de17683d297bef112cd5a59366818e41c6744024882468529d8f65f
                                                                            • Opcode Fuzzy Hash: 9d24180e80cd50ec8ab042f2d01b671e0e14006396699a115671145cbd4bf2d0
                                                                            • Instruction Fuzzy Hash: 4DD0923818E3C59FC7178B7CA8958183F345E0316571904DED886EF9B7CA66848ACB56
                                                                            Function 04B97E90 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 602686f3556911474b5b009b791831e03fc8e5f41e9ad63675785f77b555b810
                                                                            • Instruction ID: 1719c5e227b8a83aadb098b4d3ee761dbfacb064b86879795b003b95edcd18dc
                                                                            • Opcode Fuzzy Hash: 602686f3556911474b5b009b791831e03fc8e5f41e9ad63675785f77b555b810
                                                                            • Instruction Fuzzy Hash: 21C0122404E3D00EEF03833888992013FB10D4311930E01C68081CF8A7C8688849CB43
                                                                            Function 04B97928 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 07c648a4ea6827af1f271dd75b4041981704d925209da41e104264b73b8d721a
                                                                            • Instruction ID: 81dcf1e335c61519cb0a55fdb2c361e35a502e951d8f87edee72388f2e406504
                                                                            • Opcode Fuzzy Hash: 07c648a4ea6827af1f271dd75b4041981704d925209da41e104264b73b8d721a
                                                                            • Instruction Fuzzy Hash: 88B09230185749CFC2486F75A844815732DAB4021978004ACE80E4AAA28F7AE885CA44

                                                                            Non-executed Functions

                                                                            Function 04B94C62 Relevance: 5.1, Strings: 4, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.2299473095.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_4b90000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @n^$@n^$@n^$@n^
                                                                            • API String ID: 0-3041806235
                                                                            • Opcode ID: fdfdeae20b343db268c58beec4af9f0cdbf1daa44c1bf781df66ec190895e872
                                                                            • Instruction ID: b1d18dde39a972fc655963ef6c24a3bbe73e035c40575914332857cb8c92fee1
                                                                            • Opcode Fuzzy Hash: fdfdeae20b343db268c58beec4af9f0cdbf1daa44c1bf781df66ec190895e872
                                                                            • Instruction Fuzzy Hash: 7131C21550E3D11FD307A73CA8B42917F61AF5329CF1A41EBC1C48F5A3D819195AC79B