Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SKM_BH450i2411261138090453854974574748668683985857435.scr.exe

Overview

General Information

Sample name:SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
Analysis ID:1564894
MD5:34ef4cb75ba2bf112a7ef70f7a270dbb
SHA1:cd0b9d5de12841d7b0c49d7f6b98c12fd53e1837
SHA256:2f8b625544a974b1d801bc2de338dca23abb89fd6d49b5b9bb8ad2dbbb7e41ba
Tags:exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKM_BH450i2411261138090453854974574748668683985857435.scr.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe" MD5: 34EF4CB75BA2BF112A7EF70F7A270DBB)
    • SKM_BH450i2411261138090453854974574748668683985857435.scr.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe" MD5: 34EF4CB75BA2BF112A7EF70F7A270DBB)
      • powershell.exe (PID: 7696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SKM_BH450i2411261138090453854974574748668683985857435.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 2652 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1296 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1692271403.0000000006F60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1690494145.0000000003549000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xcb33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xcbd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xcce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xc14d:$cnc4: POST / HTTP/1.1
        00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xc34d:$cnc4: POST / HTTP/1.1
              0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe", ParentImage: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ParentProcessId: 7576, ParentProcessName: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', ProcessId: 7696, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe", ParentImage: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ParentProcessId: 7576, ParentProcessName: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', ProcessId: 7696, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe", ParentImage: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ParentProcessId: 7576, ParentProcessName: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', ProcessId: 7696, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ProcessId: 7576, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe", ParentImage: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ParentProcessId: 7576, ParentProcessName: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe', ProcessId: 7696, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-29T00:01:23.584076+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:01:33.223475+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:01:43.974486+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:01:53.503770+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:01:54.733348+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:05.493399+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:16.227028+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:23.513394+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:26.963451+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:34.643611+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:34.883628+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:39.953842+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:40.203637+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:40.447578+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:40.683803+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:40.923978+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:51.503537+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:51.743251+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:53.513761+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:02.254902+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:02.508085+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:02.809689+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:08.463495+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:12.153931+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:18.393428+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:23.513259+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:28.833576+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:29.081193+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:34.113684+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:34.361765+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:34.843788+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:45.033574+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:45.273379+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:50.533509+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:50.795650+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:53.503658+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:01.327343+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:06.743317+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:06.984108+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:07.223831+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:11.553955+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:16.553429+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:17.088693+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:23.515454+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:27.843352+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:38.587294+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:48.254190+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:48.493561+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:53.523987+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:54.303886+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-29T00:01:33.225210+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:01:43.976623+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:01:54.734906+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:05.496324+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:16.228572+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:26.966117+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:34.647943+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:34.885741+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:39.956860+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:40.318628+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:40.456275+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:40.686086+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:40.925439+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:51.505302+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:02:51.745033+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:02.368356+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:02.509642+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:02.814381+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:08.466049+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:12.156600+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:18.396507+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:28.835162+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:29.082564+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:29.386166+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:34.363317+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:34.614122+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:34.734132+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:34.854354+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:35.084968+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:35.205389+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:45.038183+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:45.276551+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:50.540111+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:03:50.798483+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:01.329021+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:06.746944+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:06.988196+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:07.228167+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:11.557443+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:16.654405+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:17.090849+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:27.846030+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:38.602965+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:48.256218+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:48.494761+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:48.798231+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  2024-11-29T00:04:54.305392+010028529231Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-29T00:01:23.584076+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:01:53.503770+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:23.513394+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:02:53.513761+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:23.513259+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:03:53.503658+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:23.515454+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  2024-11-29T00:04:53.523987+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.449740TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-29T00:04:06.423816+010028531931Malware Command and Control Activity Detected192.168.2.449740104.250.180.1787061TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 57%
                  Multi AV Scanner detection for submitted file
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeReversingLabs: Detection: 57%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: 104.250.180.178
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: 7061
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: <123456789>
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: <Xwormmm>
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: XWorm V5.2
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: USB.exe
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: %AppData%
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpackString decryptor: XClient.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\bZaQ.pdb8 source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Windows.Forms.pdbSystem.Xml.dll source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: bZaQ.pdbSHA256Tk\ source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, XClient.exe.2.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: o.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: %%.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP% source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D44000.00000004.00000020.00020000.00000000.sdmp, SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp, WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.pdbH source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Drawing.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\exe\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbh source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbE source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, XClient.exe.2.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 4x nop then jmp 072B9742h0_2_072B8D36

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.4:49740
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.4:49740
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49740 -> 104.250.180.178:7061
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49740 -> 104.250.180.178:7061
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49740 -> 104.250.180.178:7061
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 104.250.180.178
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:49740 -> 104.250.180.178:7061
                  Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: powershell.exe, 00000006.00000002.1793364060.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                  Source: powershell.exe, 00000006.00000002.1792553188.0000000007619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                  Source: powershell.exe, 00000008.00000002.1853417264.0000000008188000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: powershell.exe, 00000006.00000002.1796588135.00000000085C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftoAp
                  Source: powershell.exe, 00000003.00000002.1749718983.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1784470209.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1837918091.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000003.00000002.1744434299.00000000050C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1744434299.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.0000000004751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000003.00000002.1744434299.00000000050C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: powershell.exe, 00000003.00000002.1744434299.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.0000000004751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                  Source: powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000003.00000002.1744434299.000000000575A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 0000000B.00000002.1905695264.00000000079BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                  Source: powershell.exe, 00000003.00000002.1749718983.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1784470209.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1837918091.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0235D63C0_2_0235D63C
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716D7080_2_0716D708
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716DC280_2_0716DC28
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716AA600_2_0716AA60
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716A7B80_2_0716A7B8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716A7C80_2_0716A7C8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716D6FA0_2_0716D6FA
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716DC220_2_0716DC22
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716DCFE0_2_0716DCFE
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0716AA4F0_2_0716AA4F
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072BAA300_2_072BAA30
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072B56300_2_072B5630
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072B4D910_2_072B4D91
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072B71A80_2_072B71A8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072B51F80_2_072B51F8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_072B68D00_2_072B68D0
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D61A52_2_029D61A5
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D44D02_2_029D44D0
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D4AC82_2_029D4AC8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D14582_2_029D1458
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D1A702_2_029D1A70
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CA20E82_2_05CA20E8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CA7BB82_2_05CA7BB8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CA1AC12_2_05CA1AC1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CA72E82_2_05CA72E8
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CAC2082_2_05CAC208
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CA6FA02_2_05CA6FA0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04DDB4903_2_04DDB490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04DDB4703_2_04DDB470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08E43A983_2_08E43A98
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0321B4906_2_0321B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0321B4706_2_0321B470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_08AC3E986_2_08AC3E98
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0457B4908_2_0457B490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EDB49011_2_04EDB490
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04EDB47011_2_04EDB470
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1296
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000000.1671905733.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebZaQ.exe4 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1692648646.00000000086F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1690494145.0000000003582000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1692271403.0000000006F60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1690494145.0000000003549000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1688907971.000000000058E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4239080434.0000000005FD9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4194395181.0000000003BB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebZaQ.exe4 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeBinary or memory string: OriginalFilenamebZaQ.exe4 vs SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: XClient.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, kAOj1Y7pfP90kycNNw.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, d2UN8s6Si1LJdhto0I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, SE8mrW77tjEQMHpoqY.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, d2UN8s6Si1LJdhto0I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, d2UN8s6Si1LJdhto0I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@16/24@0/1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7576
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeReversingLabs: Detection: 57%
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile read: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1296
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: XClient.lnk.2.drLNK file: ..\..\..\..\..\XClient.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\exe\bZaQ.pdb8 source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Accessibility.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Windows.Forms.pdbSystem.Xml.dll source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: n0C:\Windows\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: bZaQ.pdbSHA256Tk\ source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, XClient.exe.2.dr
                  Source: Binary string: System.Configuration.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Xml.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: o.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Core.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: %%.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP% source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D44000.00000004.00000020.00020000.00000000.sdmp, SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp, WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.pdbH source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Drawing.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: mscorlib.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.Management.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\exe\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: symbols\dll\mscorlib.pdbLb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4251424476.000000000615B000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.pdbh source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbE source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: System.ni.pdb source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, XClient.exe.2.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER4927.tmp.dmp.18.dr
                  Source: Binary string: \??\C:\Windows\symbols\exe\bZaQ.pdb source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4270486896.0000000006D20000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, SE8mrW77tjEQMHpoqY.cs.Net Code: DZtYWfldEx System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, SE8mrW77tjEQMHpoqY.cs.Net Code: DZtYWfldEx System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, SE8mrW77tjEQMHpoqY.cs.Net Code: DZtYWfldEx System.Reflection.Assembly.Load(byte[])
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: 0x9FC1E548 [Mon Dec 7 19:28:08 2054 UTC]
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 0_2_0235EFB0 push esp; iretd 0_2_0235EFB1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_029D5F75 push esp; retf 2_2_029D5F85
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CABC81 push dword ptr [ebp+ebx-75h]; iretd 2_2_05CABC85
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeCode function: 2_2_05CABC0F push dword ptr [ebp+ecx-75h]; retf 2_2_05CABC1A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04DD629D push eax; ret 3_2_04DD6351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03216348 push eax; ret 6_2_03216351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_04576342 push eax; ret 8_2_04576351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04ED633D push eax; ret 11_2_04ED6351
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04ED3C79 push eax; retn 0008h11_2_04ED3C7A
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04ED3D1C push edx; retn 0008h11_2_04ED3D32
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04ED7A09 pushfd ; retn 0008h11_2_04ED7A0A
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exeStatic PE information: section name: .text entropy: 7.69396304461048
                  Source: XClient.exe.2.drStatic PE information: section name: .text entropy: 7.69396304461048
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.csHigh entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, GtaAIbrHXObmMm8GPA.csHigh entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, kAOj1Y7pfP90kycNNw.csHigh entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, pvn88657F7WjgkjuW8.csHigh entropy of concatenated method names: 'QvLZqupggh', 'PiMZJrptkg', 'D2PZZ8EjcB', 'fpbZUjLlmP', 'obbZ04uUKR', 'qvPZEBu3s7', 'Dispose', 'gFF3pyedrd', 'PE23A2Y7Ih', 'MXS393q2XM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, mKJ6b1A944CkjLYuBS.csHigh entropy of concatenated method names: 'Dispose', 'kWjHIgkjuW', 'rmFSVQYkqU', 'M49FTeHVvA', 'R6FH2ugxb3', 'gUCHzliZOK', 'ProcessDialogKey', 'KJaSBojAwl', 'lFaSHa42xm', 'poESSXwhkp'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, pHpQnoYAoOqXP2paYp.csHigh entropy of concatenated method names: 'VnYHy2UN8s', 'ci1H7LJdht', 'GCBHP6Hk5n', 'v52HGAHExH', 'SjGHqZHFnj', 'uikHTNd4Q7', 'Im1jX0td2a7TFku6Cg', 'iEChLtfBEsZRP4vV5p', 'F13HHQhOB3', 't3cHkYK9TY'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, Ewhkp42ZL8PgJgaju7.csHigh entropy of concatenated method names: 'FWSO9XeAE9', 'HoPORnhw9F', 'NCWOmwre87', 'igQOydGF1M', 'oRbOZ02xGH', 'i8xO7jkHkX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, XnjfikMNd4Q7LEZ0iS.csHigh entropy of concatenated method names: 'SeUmdsxRoO', 'xbImAeUlSN', 'whEmRNjEHH', 'EstmyfoB3r', 'NXhm7wV60y', 'BceRjieIyF', 'Y2KRxD7AUu', 'VngR5A0XHH', 'P8SRF7OAyL', 'FXURIXoJMS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, d2UN8s6Si1LJdhto0I.csHigh entropy of concatenated method names: 'aZOAsjjh31', 'wwsA8X4b8k', 'cIDA1Ah0E3', 'vGTArWTmFO', 'beBAjEs7u4', 'dcDAxfGE9U', 'ANiA5qulif', 'XxgAFJlkTc', 'G3oAIDHnBI', 'YqwA2ZFtTR'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, yoZrBxHH6nk4DkwaMqN.csHigh entropy of concatenated method names: 'w07O2wF76c', 'sMROziiZAG', 'W5sUBSimRP', 'TCFUHbKKRS', 'rMUUSW5U2M', 'GXOUkTpHBJ', 'nogUYbJgJv', 'ePCUdEj5AS', 'eGBUper086', 'DK5UAkcFZt'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, TL7NRMNfUPxdlWFsyZ.csHigh entropy of concatenated method names: 'BNgyphj1rb', 'D8Gy9FH9rJ', 'wraymehDUf', 'QTDm2X9NZD', 'yYFmzIK5cu', 'S5YyBZ21mU', 'thmyHyUdTh', 'HXkySIrB2b', 'DKqykRWU1d', 'tVeyYnOxsQ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, yojAwlIDFaa42xmToE.csHigh entropy of concatenated method names: 'TZCZMQSFMS', 'xuZZVVk4ds', 'WZjZned1Ex', 'UuVZc9v3hF', 'WmPZvebLoC', 'CYbZhtwXMn', 'AvWZNgNMKq', 'FqxZtV4g0w', 's3oZii9BJG', 'I39ZestOnL'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, rWUMLnHYQVefd65Ahs9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'symfZAYNl3', 'yHpfOUJKOM', 'k10fUwc77j', 'L0qffMqRJw', 'tmJf0ilHiy', 'CiOfuYgBBm', 'x8rfERtCAc'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, jY08qSi1mG0P88mRtK.csHigh entropy of concatenated method names: 'oG2ylvY2nR', 'gMjyacWtHi', 'AXVyWOWTG6', 'VPTywkZRNR', 'pdmy4iaUSt', 'R4Jyg69sbB', 'dO0yLjLbjG', 'DEOy6Tx84y', 'twIyXtJ31o', 'nw1yCttkSX'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, SE8mrW77tjEQMHpoqY.csHigh entropy of concatenated method names: 'Hf3kdjNapS', 'n89kpVem8Q', 'EmJkAleQ9e', 'zSFk9GCrv8', 'MlhkR6d5Sg', 'H3AkmPGYGn', 'dodkyVtaRE', 'LTYk737ZBy', 'dU6kDYMIe1', 'pTMkPQD0sb'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, bExH6QCLNG5UD1jGZH.csHigh entropy of concatenated method names: 'CaAR4SQ98G', 'sk7RLToce5', 'ClG9nHNncX', 'bfh9cvW7CZ', 'bHm9vsmUtW', 'oSA9hoqcev', 'y4X9Nt2KmW', 'osq9th7ATY', 'FJ09i8RSPY', 'jC79ekDiVM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, bHgUxrS0Te2wLuDVLm.csHigh entropy of concatenated method names: 'GfPWTskDy', 'rXMwOf5s6', 'vgdgZI3d7', 'SRkLNYK0F', 'aofXTTBL2', 'fYYCH8GoH', 'TYYPa5DBtgYGAkPtnQ', 'rZnr8s8AXsnOVOER3D', 'sL33X7El1', 'fdnO5bJfx'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, uC0YYuHBq2hKI660Jww.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GTaOKbSypy', 'xDtOQ4pwTl', 'FVVObSew24', 'mOmOsVyx2o', 'ABLO8Vnret', 'AcwO1GkFH4', 'swoOreHXlS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, NXPdfNx0HvQ551imJq.csHigh entropy of concatenated method names: 'QtdJFUcMnT', 'EwPJ2rULg5', 'CAP3BHWl0v', 'BVc3HHorpt', 'JJCJKE9YK1', 'jGsJQuv4wH', 'FMuJbZW6sd', 'MkbJsMoIto', 'o2LJ84ZyAx', 'lEsJ1Sm9Mf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, WRSfOJzcbNkjql3oqr.csHigh entropy of concatenated method names: 's0HOg908C6', 'PoLO6CsB7Q', 'uTCOXq24NZ', 'PYlOMrdMxM', 'PYAOVW4Dbv', 'NE6OcKd9Rj', 'dVrOvihB5o', 'CkSOE2h2hV', 'v6KOlmMCGA', 'YKfOawSCOf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, KTSc7VXCB6Hk5n052A.csHigh entropy of concatenated method names: 'HrM9wBv1XZ', 'Brg9gCv9TM', 'ydL96A6eS4', 'huH9XZya5k', 'iOe9qhjtld', 'yAR9Tq3FjP', 'W929J4nqXy', 'eFl93vpqoZ', 'oAN9ZYVbiO', 'a3S9Ofgos0'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, ksARnF9L8C7UCI5fyp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fRVSIIC889', 'mLnS2P0KSH', 'NEASzcPZiq', 'p3RkBPMKXW', 'cf0kHHQyEP', 'UcJkSfARO5', 'pQskkNEZi5', 'GFiqZgQQZITQBlfh78A'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.36dc1c8.5.raw.unpack, IPhqifb77vu0oZdksO.csHigh entropy of concatenated method names: 'VMUo6wNIHr', 'up9oXJy1ey', 'Dc0oMgTIbQ', 'yFvoVYF00i', 'PLDoctWhMf', 'DhKovwCG7f', 'jaxoNxxkSs', 'HmiotoNPdm', 'KRkoeBxIs8', 'chVoKh3ilJ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, pvn88657F7WjgkjuW8.csHigh entropy of concatenated method names: 'QvLZqupggh', 'PiMZJrptkg', 'D2PZZ8EjcB', 'fpbZUjLlmP', 'obbZ04uUKR', 'qvPZEBu3s7', 'Dispose', 'gFF3pyedrd', 'PE23A2Y7Ih', 'MXS393q2XM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, mKJ6b1A944CkjLYuBS.csHigh entropy of concatenated method names: 'Dispose', 'kWjHIgkjuW', 'rmFSVQYkqU', 'M49FTeHVvA', 'R6FH2ugxb3', 'gUCHzliZOK', 'ProcessDialogKey', 'KJaSBojAwl', 'lFaSHa42xm', 'poESSXwhkp'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, pHpQnoYAoOqXP2paYp.csHigh entropy of concatenated method names: 'VnYHy2UN8s', 'ci1H7LJdht', 'GCBHP6Hk5n', 'v52HGAHExH', 'SjGHqZHFnj', 'uikHTNd4Q7', 'Im1jX0td2a7TFku6Cg', 'iEChLtfBEsZRP4vV5p', 'F13HHQhOB3', 't3cHkYK9TY'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, Ewhkp42ZL8PgJgaju7.csHigh entropy of concatenated method names: 'FWSO9XeAE9', 'HoPORnhw9F', 'NCWOmwre87', 'igQOydGF1M', 'oRbOZ02xGH', 'i8xO7jkHkX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, XnjfikMNd4Q7LEZ0iS.csHigh entropy of concatenated method names: 'SeUmdsxRoO', 'xbImAeUlSN', 'whEmRNjEHH', 'EstmyfoB3r', 'NXhm7wV60y', 'BceRjieIyF', 'Y2KRxD7AUu', 'VngR5A0XHH', 'P8SRF7OAyL', 'FXURIXoJMS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, d2UN8s6Si1LJdhto0I.csHigh entropy of concatenated method names: 'aZOAsjjh31', 'wwsA8X4b8k', 'cIDA1Ah0E3', 'vGTArWTmFO', 'beBAjEs7u4', 'dcDAxfGE9U', 'ANiA5qulif', 'XxgAFJlkTc', 'G3oAIDHnBI', 'YqwA2ZFtTR'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, yoZrBxHH6nk4DkwaMqN.csHigh entropy of concatenated method names: 'w07O2wF76c', 'sMROziiZAG', 'W5sUBSimRP', 'TCFUHbKKRS', 'rMUUSW5U2M', 'GXOUkTpHBJ', 'nogUYbJgJv', 'ePCUdEj5AS', 'eGBUper086', 'DK5UAkcFZt'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, TL7NRMNfUPxdlWFsyZ.csHigh entropy of concatenated method names: 'BNgyphj1rb', 'D8Gy9FH9rJ', 'wraymehDUf', 'QTDm2X9NZD', 'yYFmzIK5cu', 'S5YyBZ21mU', 'thmyHyUdTh', 'HXkySIrB2b', 'DKqykRWU1d', 'tVeyYnOxsQ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, yojAwlIDFaa42xmToE.csHigh entropy of concatenated method names: 'TZCZMQSFMS', 'xuZZVVk4ds', 'WZjZned1Ex', 'UuVZc9v3hF', 'WmPZvebLoC', 'CYbZhtwXMn', 'AvWZNgNMKq', 'FqxZtV4g0w', 's3oZii9BJG', 'I39ZestOnL'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, rWUMLnHYQVefd65Ahs9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'symfZAYNl3', 'yHpfOUJKOM', 'k10fUwc77j', 'L0qffMqRJw', 'tmJf0ilHiy', 'CiOfuYgBBm', 'x8rfERtCAc'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, jY08qSi1mG0P88mRtK.csHigh entropy of concatenated method names: 'oG2ylvY2nR', 'gMjyacWtHi', 'AXVyWOWTG6', 'VPTywkZRNR', 'pdmy4iaUSt', 'R4Jyg69sbB', 'dO0yLjLbjG', 'DEOy6Tx84y', 'twIyXtJ31o', 'nw1yCttkSX'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, SE8mrW77tjEQMHpoqY.csHigh entropy of concatenated method names: 'Hf3kdjNapS', 'n89kpVem8Q', 'EmJkAleQ9e', 'zSFk9GCrv8', 'MlhkR6d5Sg', 'H3AkmPGYGn', 'dodkyVtaRE', 'LTYk737ZBy', 'dU6kDYMIe1', 'pTMkPQD0sb'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, bExH6QCLNG5UD1jGZH.csHigh entropy of concatenated method names: 'CaAR4SQ98G', 'sk7RLToce5', 'ClG9nHNncX', 'bfh9cvW7CZ', 'bHm9vsmUtW', 'oSA9hoqcev', 'y4X9Nt2KmW', 'osq9th7ATY', 'FJ09i8RSPY', 'jC79ekDiVM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, bHgUxrS0Te2wLuDVLm.csHigh entropy of concatenated method names: 'GfPWTskDy', 'rXMwOf5s6', 'vgdgZI3d7', 'SRkLNYK0F', 'aofXTTBL2', 'fYYCH8GoH', 'TYYPa5DBtgYGAkPtnQ', 'rZnr8s8AXsnOVOER3D', 'sL33X7El1', 'fdnO5bJfx'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, uC0YYuHBq2hKI660Jww.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GTaOKbSypy', 'xDtOQ4pwTl', 'FVVObSew24', 'mOmOsVyx2o', 'ABLO8Vnret', 'AcwO1GkFH4', 'swoOreHXlS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, NXPdfNx0HvQ551imJq.csHigh entropy of concatenated method names: 'QtdJFUcMnT', 'EwPJ2rULg5', 'CAP3BHWl0v', 'BVc3HHorpt', 'JJCJKE9YK1', 'jGsJQuv4wH', 'FMuJbZW6sd', 'MkbJsMoIto', 'o2LJ84ZyAx', 'lEsJ1Sm9Mf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, WRSfOJzcbNkjql3oqr.csHigh entropy of concatenated method names: 's0HOg908C6', 'PoLO6CsB7Q', 'uTCOXq24NZ', 'PYlOMrdMxM', 'PYAOVW4Dbv', 'NE6OcKd9Rj', 'dVrOvihB5o', 'CkSOE2h2hV', 'v6KOlmMCGA', 'YKfOawSCOf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, KTSc7VXCB6Hk5n052A.csHigh entropy of concatenated method names: 'HrM9wBv1XZ', 'Brg9gCv9TM', 'ydL96A6eS4', 'huH9XZya5k', 'iOe9qhjtld', 'yAR9Tq3FjP', 'W929J4nqXy', 'eFl93vpqoZ', 'oAN9ZYVbiO', 'a3S9Ofgos0'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, ksARnF9L8C7UCI5fyp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fRVSIIC889', 'mLnS2P0KSH', 'NEASzcPZiq', 'p3RkBPMKXW', 'cf0kHHQyEP', 'UcJkSfARO5', 'pQskkNEZi5', 'GFiqZgQQZITQBlfh78A'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.86f0000.7.raw.unpack, IPhqifb77vu0oZdksO.csHigh entropy of concatenated method names: 'VMUo6wNIHr', 'up9oXJy1ey', 'Dc0oMgTIbQ', 'yFvoVYF00i', 'PLDoctWhMf', 'DhKovwCG7f', 'jaxoNxxkSs', 'HmiotoNPdm', 'KRkoeBxIs8', 'chVoKh3ilJ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, pvn88657F7WjgkjuW8.csHigh entropy of concatenated method names: 'QvLZqupggh', 'PiMZJrptkg', 'D2PZZ8EjcB', 'fpbZUjLlmP', 'obbZ04uUKR', 'qvPZEBu3s7', 'Dispose', 'gFF3pyedrd', 'PE23A2Y7Ih', 'MXS393q2XM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, mKJ6b1A944CkjLYuBS.csHigh entropy of concatenated method names: 'Dispose', 'kWjHIgkjuW', 'rmFSVQYkqU', 'M49FTeHVvA', 'R6FH2ugxb3', 'gUCHzliZOK', 'ProcessDialogKey', 'KJaSBojAwl', 'lFaSHa42xm', 'poESSXwhkp'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, pHpQnoYAoOqXP2paYp.csHigh entropy of concatenated method names: 'VnYHy2UN8s', 'ci1H7LJdht', 'GCBHP6Hk5n', 'v52HGAHExH', 'SjGHqZHFnj', 'uikHTNd4Q7', 'Im1jX0td2a7TFku6Cg', 'iEChLtfBEsZRP4vV5p', 'F13HHQhOB3', 't3cHkYK9TY'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, Ewhkp42ZL8PgJgaju7.csHigh entropy of concatenated method names: 'FWSO9XeAE9', 'HoPORnhw9F', 'NCWOmwre87', 'igQOydGF1M', 'oRbOZ02xGH', 'i8xO7jkHkX', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, XnjfikMNd4Q7LEZ0iS.csHigh entropy of concatenated method names: 'SeUmdsxRoO', 'xbImAeUlSN', 'whEmRNjEHH', 'EstmyfoB3r', 'NXhm7wV60y', 'BceRjieIyF', 'Y2KRxD7AUu', 'VngR5A0XHH', 'P8SRF7OAyL', 'FXURIXoJMS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, d2UN8s6Si1LJdhto0I.csHigh entropy of concatenated method names: 'aZOAsjjh31', 'wwsA8X4b8k', 'cIDA1Ah0E3', 'vGTArWTmFO', 'beBAjEs7u4', 'dcDAxfGE9U', 'ANiA5qulif', 'XxgAFJlkTc', 'G3oAIDHnBI', 'YqwA2ZFtTR'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, yoZrBxHH6nk4DkwaMqN.csHigh entropy of concatenated method names: 'w07O2wF76c', 'sMROziiZAG', 'W5sUBSimRP', 'TCFUHbKKRS', 'rMUUSW5U2M', 'GXOUkTpHBJ', 'nogUYbJgJv', 'ePCUdEj5AS', 'eGBUper086', 'DK5UAkcFZt'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, TL7NRMNfUPxdlWFsyZ.csHigh entropy of concatenated method names: 'BNgyphj1rb', 'D8Gy9FH9rJ', 'wraymehDUf', 'QTDm2X9NZD', 'yYFmzIK5cu', 'S5YyBZ21mU', 'thmyHyUdTh', 'HXkySIrB2b', 'DKqykRWU1d', 'tVeyYnOxsQ'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, yojAwlIDFaa42xmToE.csHigh entropy of concatenated method names: 'TZCZMQSFMS', 'xuZZVVk4ds', 'WZjZned1Ex', 'UuVZc9v3hF', 'WmPZvebLoC', 'CYbZhtwXMn', 'AvWZNgNMKq', 'FqxZtV4g0w', 's3oZii9BJG', 'I39ZestOnL'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, rWUMLnHYQVefd65Ahs9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'symfZAYNl3', 'yHpfOUJKOM', 'k10fUwc77j', 'L0qffMqRJw', 'tmJf0ilHiy', 'CiOfuYgBBm', 'x8rfERtCAc'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, jY08qSi1mG0P88mRtK.csHigh entropy of concatenated method names: 'oG2ylvY2nR', 'gMjyacWtHi', 'AXVyWOWTG6', 'VPTywkZRNR', 'pdmy4iaUSt', 'R4Jyg69sbB', 'dO0yLjLbjG', 'DEOy6Tx84y', 'twIyXtJ31o', 'nw1yCttkSX'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, SE8mrW77tjEQMHpoqY.csHigh entropy of concatenated method names: 'Hf3kdjNapS', 'n89kpVem8Q', 'EmJkAleQ9e', 'zSFk9GCrv8', 'MlhkR6d5Sg', 'H3AkmPGYGn', 'dodkyVtaRE', 'LTYk737ZBy', 'dU6kDYMIe1', 'pTMkPQD0sb'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, bExH6QCLNG5UD1jGZH.csHigh entropy of concatenated method names: 'CaAR4SQ98G', 'sk7RLToce5', 'ClG9nHNncX', 'bfh9cvW7CZ', 'bHm9vsmUtW', 'oSA9hoqcev', 'y4X9Nt2KmW', 'osq9th7ATY', 'FJ09i8RSPY', 'jC79ekDiVM'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, bHgUxrS0Te2wLuDVLm.csHigh entropy of concatenated method names: 'GfPWTskDy', 'rXMwOf5s6', 'vgdgZI3d7', 'SRkLNYK0F', 'aofXTTBL2', 'fYYCH8GoH', 'TYYPa5DBtgYGAkPtnQ', 'rZnr8s8AXsnOVOER3D', 'sL33X7El1', 'fdnO5bJfx'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, uC0YYuHBq2hKI660Jww.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GTaOKbSypy', 'xDtOQ4pwTl', 'FVVObSew24', 'mOmOsVyx2o', 'ABLO8Vnret', 'AcwO1GkFH4', 'swoOreHXlS'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, NXPdfNx0HvQ551imJq.csHigh entropy of concatenated method names: 'QtdJFUcMnT', 'EwPJ2rULg5', 'CAP3BHWl0v', 'BVc3HHorpt', 'JJCJKE9YK1', 'jGsJQuv4wH', 'FMuJbZW6sd', 'MkbJsMoIto', 'o2LJ84ZyAx', 'lEsJ1Sm9Mf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, WRSfOJzcbNkjql3oqr.csHigh entropy of concatenated method names: 's0HOg908C6', 'PoLO6CsB7Q', 'uTCOXq24NZ', 'PYlOMrdMxM', 'PYAOVW4Dbv', 'NE6OcKd9Rj', 'dVrOvihB5o', 'CkSOE2h2hV', 'v6KOlmMCGA', 'YKfOawSCOf'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, KTSc7VXCB6Hk5n052A.csHigh entropy of concatenated method names: 'HrM9wBv1XZ', 'Brg9gCv9TM', 'ydL96A6eS4', 'huH9XZya5k', 'iOe9qhjtld', 'yAR9Tq3FjP', 'W929J4nqXy', 'eFl93vpqoZ', 'oAN9ZYVbiO', 'a3S9Ofgos0'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, ksARnF9L8C7UCI5fyp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fRVSIIC889', 'mLnS2P0KSH', 'NEASzcPZiq', 'p3RkBPMKXW', 'cf0kHHQyEP', 'UcJkSfARO5', 'pQskkNEZi5', 'GFiqZgQQZITQBlfh78A'
                  Source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.372ebe8.3.raw.unpack, IPhqifb77vu0oZdksO.csHigh entropy of concatenated method names: 'VMUo6wNIHr', 'up9oXJy1ey', 'Dc0oMgTIbQ', 'yFvoVYF00i', 'PLDoctWhMf', 'DhKovwCG7f', 'jaxoNxxkSs', 'HmiotoNPdm', 'KRkoeBxIs8', 'chVoKh3ilJ'
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe PID: 7436, type: MEMORYSTR
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 22B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 22B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 8890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 9890000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 9AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: AAA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 29D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeWindow / User API: threadDelayed 4331Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeWindow / User API: threadDelayed 5499Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7533Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2154Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5975Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2734Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7515Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2227Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7729
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1973
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe TID: 7440Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe TID: 7184Thread sleep count: 4331 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe TID: 7184Thread sleep count: 5499 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 5975 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 2734 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 7515 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 2227 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeMemory written: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe "C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4129439182.0000000000D94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1692271403.0000000006F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690494145.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe PID: 7436, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe PID: 7576, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected PureLog Stealer
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.6f60000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.35624c8.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25de20c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1692271403.0000000006F60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690494145.0000000003549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected XWorm
                  Source: Yara matchFile source: 2.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.25a454c.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.254b21c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe PID: 7436, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe PID: 7576, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		2
                  Registry Run Keys / Startup Folder                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping231
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		2
                  Registry Run Keys / Startup Folder                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		141
                  Virtualization/Sandbox Evasion                  		Security Account Manager141
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564894 Sample: SKM_BH450i24112611380904538... Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 14 other signatures 2->48 8 SKM_BH450i2411261138090453854974574748668683985857435.scr.exe 3 2->8         started        process3 file4 34 SKM_BH450i24112611...5857435.scr.exe.log, ASCII 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Bypasses PowerShell execution policy 8->52 54 Adds a directory exclusion to Windows Defender 8->54 56 Injects a PE file into a foreign processes 8->56 12 SKM_BH450i2411261138090453854974574748668683985857435.scr.exe 6 8->12         started        signatures5 process6 dnsIp7 38 104.250.180.178, 49740, 7061 M247GB United States 12->38 36 C:\Users\user\AppData\Roaming\XClient.exe, PE32 12->36 dropped 58 Adds a directory exclusion to Windows Defender 12->58 17 powershell.exe 23 12->17         started        20 powershell.exe 23 12->20         started        22 powershell.exe 23 12->22         started        24 2 other processes 12->24 file8 signatures9 process10 signatures11 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SKM_BH450i2411261138090453854974574748668683985857435.scr.exe58%ReversingLabsByteCode-MSIL.Trojan.Remcos
                  SKM_BH450i2411261138090453854974574748668683985857435.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\XClient.exe58%ReversingLabsByteCode-MSIL.Trojan.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crl.microsoftoAp0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  104.250.180.178false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1749718983.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1784470209.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1837918091.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1744434299.00000000050C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.microsoftpowershell.exe, 00000008.00000002.1853417264.0000000008188000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://go.micropowershell.exe, 00000003.00000002.1744434299.000000000575A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.tiro.comSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microsoftoAppowershell.exe, 00000006.00000002.1796588135.00000000085C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.krSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.mipowershell.exe, 00000006.00000002.1793364060.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.comlSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sajatypeworks.comSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.typography.netDSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/cabarga.htmlNSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/cTheSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.galapagosdesign.com/staff/dennis.htmSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cnSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.com/designers/frere-user.htmlSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.micropowershell.exe, 00000006.00000002.1792553188.0000000007619000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1744434299.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.0000000004751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ion=v4.5powershell.exe, 0000000B.00000002.1905695264.00000000079BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1744434299.00000000050C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.00000000048A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.jiyu-kobo.co.jp/SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contoso.com/powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1749718983.0000000005FDC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1784470209.0000000005D7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1837918091.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1898094044.00000000060FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.galapagosdesign.com/DPleaseSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers8SKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.fonts.comSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.sandoll.co.krSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.urwpp.deDPleaseSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.zhongyicts.com.cnSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1744434299.0000000004F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1775627906.0000000004D11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1821917297.0000000004751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1876859362.0000000005091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.sakkal.comSKM_BH450i2411261138090453854974574748668683985857435.scr.exe, 00000000.00000002.1691754831.0000000006622000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        104.250.180.178
                                                                                                        		unknownUnited States
                                                                                                        		9009M247GBtrue

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1564894
                                                                                                        Start date and time:2024-11-29 00:00:04 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 9m 20s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:20
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.evad.winEXE@16/24@0/1
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 66.7%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        • Number of executed functions: 342
                                                                                                        • Number of non-executed functions: 49
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe
                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 2676 because it is empty
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 8088 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                        • VT rate limit hit for: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        18:00:56API Interceptor8024301x Sleep call for process: SKM_BH450i2411261138090453854974574748668683985857435.scr.exe modified
                                                                                                        18:01:00API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                                        23:01:20AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        104.250.180.178#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                          Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                            CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                              Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                                                                                                  rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                    rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                                                                                      ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                                                                                                                        SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                          ISF #U8a02#U8259#U55ae - KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse

                                                                                                                            Domains

                                                                                                                            No context

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            M247GB#U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                                            • 104.250.180.178
                                                                                                                            LM94OE0VNK.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 91.202.233.141
                                                                                                                            Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                                            • 104.250.180.178
                                                                                                                            CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                                                            • 104.250.180.178
                                                                                                                            loligang.x86-20241128-1536.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 38.95.109.118
                                                                                                                            nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 38.206.86.187
                                                                                                                            nabarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.74.38.161
                                                                                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 77.36.125.131
                                                                                                                            akcqrfutuo.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 154.17.91.183
                                                                                                                            Mail-Manager.jarGet hashmaliciousUnknownBrowse
                                                                                                                            • 184.174.97.32

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4927.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Thu Nov 28 23:04:56 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):377017
                                                                                                                            Entropy (8bit):3.6111277082174293
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:EolUO8iqzuBojRDapN4uE2aO6SVXwUmDId/QN+DLTgCJSP9Z/wdvcx8cAIqq5c9f:EjDc4uEq6ygc5Q2LTgpRsFKhKvmO7
                                                                                                                            MD5:C26FE399CC677A8078B10D51F7358D6D
                                                                                                                            SHA1:E21FD08B2B133B1FA7273E37B2A0F4AACF073A69
                                                                                                                            SHA-256:4A511C82803050C0DAB365D85F43022D395247317510D0AF72A62D35071313E9
                                                                                                                            SHA-512:521765F42553ADD0FEE7C6B35AF154451F487863E6794A0E9310263349B794451E2C27BD957A2F1A74B26302A5CAE286A42B25F43364B776C14D49FEA6BDBE75
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... .........Hg............d............%..x.......l....0......4....t..........`.......8...........T...........@W..yi..........t0..........`2..............................................................................eJ.......2......GenuineIntel............T...........(.Hg....}........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AFD.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6524
                                                                                                                            Entropy (8bit):3.7340311761257654
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJO0Q6ITYZhfmjVprQ89b6Hsf00em:R6lXJOT60YI16Mfd
                                                                                                                            MD5:C80CF31E2CB65B51C573E6051922CF1D
                                                                                                                            SHA1:99619521F1A396836F85DB9516E9AA2F3421E5EC
                                                                                                                            SHA-256:23760EC3253CBA44FA132A1CDC12EC332DDB29ADAE46DF8D7B6F74FF19ECDD52
                                                                                                                            SHA-512:71AF377AA56ACDB7CD3293CEB32D08CCEB6B0637505DDFD998360431520E7A67452D67521A4D0C0F21123B44B9689C554C0AF39F76153CEF4039DCAADF070AC2
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.6.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B3C.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4912
                                                                                                                            Entropy (8bit):4.585846541160665
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zsAJg77aI9zwWpW8VYgYm8M4JvlJaF9+q8vUlJvkSKMxVeTMd:uIjfGI71J7VwJviKUbkjMXPd
                                                                                                                            MD5:CD67434BD3D1DB29B036E962C9D24823
                                                                                                                            SHA1:C75ABA0EE21F9217C64900EB31500EDB7EBE6548
                                                                                                                            SHA-256:DE5A8C341F95C3DEF86BB2372167FBE5CB01A73441A0BF59C553347C25C732FF
                                                                                                                            SHA-512:C99D7A24ACE2EB4DA8F8064F2C100B60F48CA5319D3DE0CFE423896B5A1F2AB9946C226D79CE585BF3E46FC4FEDC9256F786E3ACC19CD310B3BE5EBBDCA67841
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="608527" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:true
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2232
                                                                                                                            Entropy (8bit):5.38001807625381
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:jWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZvFyus:jLHyIFKL3IZ2KRH9Ougws
                                                                                                                            MD5:78457FD45D2E051348DE5EFD1C93090D
                                                                                                                            SHA1:838576BBBD30DC3B4B1EA35A89E904015ECFA035
                                                                                                                            SHA-256:6A5E32FC9DF13C9C09A7FF0FD17A16F0E318B9BC579DD06A4B64CEAF9898AADC
                                                                                                                            SHA-512:5A159956F8064387AABE5FA4C969DFAAEC68ED2E6AE082F5FFA66A8681A43168F83A5038EED08073B9EFE621B6AD38780D2305904097AF9372B2D33F91DDF6A4
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):29
                                                                                                                            Entropy (8bit):3.598349098128234
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                                                                            MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                                                                            SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                                                                            SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                                                                            SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                                                                            Malicious:false
                                                                                                                            Preview:....### explorer ###..[WIN]r

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h2corkc.mtt.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20tkx3j5.din.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2xizspa.0i4.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btjiod3r.5ah.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ca2kbfy0.abh.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgrkk2b4.qqo.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwxma5ed.tw0.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eb0x4325.c4c.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3o5abnp.x4e.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1s0iroh.aug.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sizoarvk.3j1.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twryg2qv.yqp.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukblpvi0.ham.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unjplvdp.v4p.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1vtmbda.hop.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrjcr0k5.upb.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 28 22:01:20 2024, mtime=Thu Nov 28 22:01:20 2024, atime=Thu Nov 28 22:01:20 2024, length=558592, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):764
                                                                                                                            Entropy (8bit):5.063849601282812
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:8Hc24u6DWCDdY//T0hL99zD7ijAsxQ5rHklFhAxrAxZBmV:8Gu6Ss+wt99zD7eAs8YlFhMrMZBm
                                                                                                                            MD5:599C774A7CA8CDDE367F8B4EB8D06806
                                                                                                                            SHA1:75C0F31AA16062449FF34630620AE2091D8285BB
                                                                                                                            SHA-256:19B524A6CBABDF1FB6027D0922BB74D427158900E8CEED4D3D960E06251F19D6
                                                                                                                            SHA-512:85E3FC7C0D78B52491115209F89B3E11E0DF8A4CC3BEBA13A0AE86C45F23612E3CF5812480469667AB49AAB6DBEBEC11080E9F45A4C7F1D19116614B82692286
                                                                                                                            Malicious:false
                                                                                                                            Preview:L..................F.... ....&Kp.A...&Kp.A...&Kp.A..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v......F].A..K.Op.A......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^|Y.............................%..A.p.p.D.a.t.a...B.V.1.....|Y....Roaming.@......CW.^|Y................................R.o.a.m.i.n.g.....b.2.....|Y+. .XClient.exe.H......|Y+.|Y+..........................b&..X.C.l.i.e.n.t...e.x.e.......Y...............-.......X............d.E.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......494126...........hT..CrF.f4... .........,.......hT..CrF.f4... .........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                            C:\Users\user\AppData\Roaming\XClient.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):558592
                                                                                                                            Entropy (8bit):7.684218688881861
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:cf0/QcHJOj8eW7KnqlIWZhmJKo1zGksv+SGjpA3yKUUo6a:lIcHJOjW7UonmJn1zGUxj
                                                                                                                            MD5:34EF4CB75BA2BF112A7EF70F7A270DBB
                                                                                                                            SHA1:CD0B9D5DE12841D7B0C49D7F6B98C12FD53E1837
                                                                                                                            SHA-256:2F8B625544A974B1D801BC2DE338DCA23ABB89FD6D49B5B9BB8AD2DBBB7E41BA
                                                                                                                            SHA-512:5F9336CAAB8B68C18E4C96297B42F95CFD7DAA7C7D48128567D09A70596C9386D0CC51DFCE1321F40AF9958A63502636C572E50FF321EEDC6E6CD7A80A073C6B
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.................0..|............... ........@.. ....................................@.....................................O.......................................p............................................ ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B.......................H.......PI..\'...........p..p..............................................}.....(.......(.......s#...}....*.0............(.....s......o.....*B..{......o%....*B..{......o$....*.0............{....(.......(....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0..5.........s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.684218688881861
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            File name:SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            File size:558'592 bytes
                                                                                                                            MD5:34ef4cb75ba2bf112a7ef70f7a270dbb
                                                                                                                            SHA1:cd0b9d5de12841d7b0c49d7f6b98c12fd53e1837
                                                                                                                            SHA256:2f8b625544a974b1d801bc2de338dca23abb89fd6d49b5b9bb8ad2dbbb7e41ba
                                                                                                                            SHA512:5f9336caab8b68c18e4c96297b42f95cfd7daa7c7d48128567d09a70596c9386d0cc51dfce1321f40af9958a63502636c572e50ff321eedc6e6cd7a80a073c6b
                                                                                                                            SSDEEP:12288:cf0/QcHJOj8eW7KnqlIWZhmJKo1zGksv+SGjpA3yKUUo6a:lIcHJOjW7UonmJn1zGUxj
                                                                                                                            TLSH:25C4F1442A6AD902C4E24BB04953D3F817784E8DED12D303EBEE7DEF7D3B6066584296
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.................0..|............... ........@.. ....................................@................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x489a0e
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x9FC1E548 [Mon Dec 7 19:28:08 2054 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x899ba0x4f.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x59c.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8871c0x70.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000x87a140x87c00181d2985dd779cfd6728fe05bcde2e01False0.9019966476749539data7.69396304461048IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0x8a0000x59c0x600d6943788d71d3562ef0bd7af1edc9a5eFalse0.4205729166666667data4.066815452603143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x8c0000xc0x20070bb1de79379156318501f568c08866fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_VERSION0x8a0900x30cdata0.43846153846153846
                                                                                                                            RT_MANIFEST0x8a3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-11-29T00:01:23.584076+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:23.584076+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:32.668800+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:01:33.223475+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:33.225210+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:01:43.974486+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:43.976623+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:01:53.503770+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:53.503770+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:54.733348+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:01:54.734906+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:05.493399+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:05.496324+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:16.227028+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:16.228572+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:23.513394+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:23.513394+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:26.963451+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:26.966117+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:34.643611+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:34.647943+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:34.883628+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:34.885741+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:39.953842+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:39.956860+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:40.203637+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:40.318628+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:40.447578+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:40.456275+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:40.683803+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:40.686086+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:40.923978+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:40.925439+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:51.503537+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:51.505302+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:51.743251+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:51.745033+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:02:53.513761+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:02:53.513761+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:02.254902+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:02.368356+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:02.508085+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:02.509642+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:02.809689+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:02.814381+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:08.463495+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:08.466049+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:12.153931+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:12.156600+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:18.393428+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:18.396507+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:23.513259+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:23.513259+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:28.833576+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:28.835162+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:29.081193+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:29.082564+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:29.386166+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:34.113684+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:34.361765+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:34.363317+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:34.614122+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:34.734132+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:34.843788+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:34.854354+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:35.084968+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:35.205389+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:45.033574+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:45.038183+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:45.273379+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:45.276551+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:50.533509+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:50.540111+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:50.795650+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:50.798483+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:03:53.503658+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:03:53.503658+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:01.327343+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:01.329021+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:06.423816+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:06.743317+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:06.746944+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:06.984108+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:06.988196+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:07.223831+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:07.228167+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:11.553955+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:11.557443+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:16.553429+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:16.654405+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:17.088693+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:17.090849+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:23.515454+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:23.515454+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:27.843352+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:27.846030+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:38.587294+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:38.602965+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:48.254190+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:48.256218+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:48.493561+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:48.494761+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:48.798231+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP
                                                                                                                            2024-11-29T00:04:53.523987+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:53.523987+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:54.303886+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.449740TCP
                                                                                                                            2024-11-29T00:04:54.305392+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449740104.250.180.1787061TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 29, 2024 00:01:21.698807955 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:21.819781065 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:21.819875956 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:21.921859980 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:22.045066118 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:23.584075928 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:23.635440111 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:32.668800116 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:32.788772106 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:33.223474979 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:33.225209951 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:33.345115900 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:43.417198896 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:43.537188053 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:43.974486113 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:43.976623058 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:44.096509933 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:53.503770113 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:53.557529926 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:54.167182922 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:54.287081957 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:54.733347893 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:01:54.734905958 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:01:54.854916096 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:04.917151928 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:05.037206888 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:05.493398905 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:05.496324062 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:05.616183996 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:15.667180061 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:15.787796021 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:16.227027893 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:16.228571892 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:16.349770069 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:23.513394117 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:23.557521105 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:26.417083979 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:26.623142004 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:26.963450909 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:26.966116905 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:27.088033915 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.089128971 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:34.209131002 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.209182978 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:34.329041958 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.643610954 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.647943020 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:34.768939018 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.883627892 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:34.885740995 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:35.005707979 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.388242006 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:39.508217096 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.542172909 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:39.662224054 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.714159012 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:39.834680080 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.834736109 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:39.953841925 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.954595089 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:39.956860065 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:40.076823950 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.198606968 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:40.203636885 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.318573952 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.318628073 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:40.438555002 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.447577953 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.456274986 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:40.622400045 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.683803082 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.686085939 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:40.806116104 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.923978090 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:40.925438881 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:41.045295000 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:50.949997902 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:51.069993973 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:51.089977980 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:51.209851027 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:51.503536940 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:51.505301952 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:51.625263929 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:51.743251085 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:51.745033026 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:02:51.864969969 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:53.513761044 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:02:53.617547035 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:01.667195082 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:01.787149906 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:01.787209988 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:01.907087088 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.254901886 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.368355989 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:02.488557100 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.508085012 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.509641886 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:02.670543909 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.809689045 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:02.814380884 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:02.934355021 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:07.901818037 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:08.021785021 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:08.463495016 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:08.466048956 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:08.586029053 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:11.573720932 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:11.693841934 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:12.153930902 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:12.156599998 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:12.276593924 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:17.823754072 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:17.943679094 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:18.393428087 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:18.396507025 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:18.516377926 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:23.513258934 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:23.557662010 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:28.261285067 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:28.381259918 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:28.381318092 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:28.501225948 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:28.501319885 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:28.621241093 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:28.833575964 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:28.835161924 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:28.955140114 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:29.081192970 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:29.082564116 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:29.202534914 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:29.383865118 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:29.386166096 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:29.506119967 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:29.506187916 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:29.626138926 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:33.558036089 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:33.677985907 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:33.678037882 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:33.798019886 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:33.949101925 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.069211960 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.073559046 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.113683939 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.193871021 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.194046021 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.314048052 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.361764908 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.363317013 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.483496904 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.610093117 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.614121914 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.734013081 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.734132051 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.843787909 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.854260921 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:34.854353905 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:34.974386930 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:35.083329916 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:35.084968090 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:35.205158949 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:35.205389023 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:35.326392889 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:44.464210987 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:44.584233046 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:44.638204098 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:44.758126020 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:45.033574104 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:45.038182974 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:45.158555031 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:45.273379087 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:45.276551008 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:45.396461010 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:49.964307070 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:50.084398985 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:50.084475040 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:50.204477072 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:50.533509016 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:50.540111065 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:50.660151005 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:50.795650005 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:50.798482895 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:03:50.918495893 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:53.503658056 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:03:53.557733059 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:00.762176991 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:00.882371902 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:01.327342987 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:01.329020977 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:01.449084044 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.183396101 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:06.303555012 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.303608894 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:06.423732042 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.423815966 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:06.543755054 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.743316889 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.746943951 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:06.866925955 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.984107971 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:06.988195896 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:07.108149052 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:07.223830938 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:07.228167057 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:07.348165989 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:10.968163967 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:11.088184118 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:11.553955078 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:11.557442904 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:11.677371025 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:15.996057987 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:16.116520882 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:16.526832104 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:16.553428888 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:16.606261969 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:16.646949053 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:16.654405117 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:16.774319887 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:17.088692904 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:17.090848923 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:17.210941076 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:23.515454054 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:23.573525906 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:27.276823997 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:27.397008896 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:27.843352079 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:27.846029997 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:27.966005087 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:38.029603004 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:38.149868965 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:38.587294102 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:38.602965117 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:38.723045111 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:47.683145046 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:47.803241014 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:47.803291082 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:47.923223019 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:47.923305035 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:48.043255091 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.254189968 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.256217957 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:48.376219034 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.493561029 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.494760990 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:48.614712954 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.793668985 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.798230886 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:48.918251038 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:48.918339014 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:49.038324118 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:53.523987055 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:53.679913044 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:53.745743036 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:53.865736961 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:54.303885937 CET706149740104.250.180.178192.168.2.4
                                                                                                                            Nov 29, 2024 00:04:54.305392027 CET497407061192.168.2.4104.250.180.178
                                                                                                                            Nov 29, 2024 00:04:54.425348043 CET706149740104.250.180.178192.168.2.4

                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:18:00:55
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"
                                                                                                                            Imagebase:0x110000
                                                                                                                            File size:558'592 bytes
                                                                                                                            MD5 hash:34EF4CB75BA2BF112A7EF70F7A270DBB
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1692271403.0000000006F60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1690494145.0000000003549000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1690173212.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:18:00:56
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe"
                                                                                                                            Imagebase:0x830000
                                                                                                                            File size:558'592 bytes
                                                                                                                            MD5 hash:34EF4CB75BA2BF112A7EF70F7A270DBB
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.4128792337.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4153151084.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:18:01:00
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                                                                                                                            Imagebase:0xf40000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:18:01:00
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:18:01:03
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SKM_BH450i2411261138090453854974574748668683985857435.scr.exe'
                                                                                                                            Imagebase:0xf40000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:18:01:03
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:18:01:08
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                                                                            Imagebase:0x800000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:18:01:08
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:18:01:13
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                                                                            Imagebase:0xf40000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:18:01:13
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:18:04:55
                                                                                                                            Start date:28/11/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1296
                                                                                                                            Imagebase:0x120000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:10.7%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:211
                                                                                                                              Total number of Limit Nodes:16
                                                                                                                              execution_graph 33929 72b9a18 33930 72b9ba3 33929->33930 33931 72b9a3e 33929->33931 33931->33930 33933 72b42a8 33931->33933 33934 72b9c98 PostMessageW 33933->33934 33935 72b9d04 33934->33935 33935->33931 33673 235ad30 33677 235ae28 33673->33677 33682 235ae18 33673->33682 33674 235ad3f 33678 235ae39 33677->33678 33679 235ae5c 33677->33679 33678->33679 33680 235b060 GetModuleHandleW 33678->33680 33679->33674 33681 235b08d 33680->33681 33681->33674 33683 235ae5c 33682->33683 33684 235ae39 33682->33684 33683->33674 33684->33683 33685 235b060 GetModuleHandleW 33684->33685 33686 235b08d 33685->33686 33686->33674 33936 235d0c0 33937 235d106 33936->33937 33941 235d699 33937->33941 33944 235d6a8 33937->33944 33938 235d1f3 33943 235d6d6 33941->33943 33947 235d2fc 33941->33947 33943->33938 33945 235d2fc DuplicateHandle 33944->33945 33946 235d6d6 33945->33946 33946->33938 33948 235d710 DuplicateHandle 33947->33948 33949 235d7a6 33948->33949 33949->33943 33687 7160040 33688 716006a 33687->33688 33689 716007b 33687->33689 33690 7160109 33689->33690 33693 7160370 33689->33693 33698 7160360 33689->33698 33694 7160398 33693->33694 33695 716049e 33694->33695 33703 7160e90 33694->33703 33708 7160e48 33694->33708 33695->33688 33699 7160398 33698->33699 33700 716049e 33699->33700 33701 7160e90 DrawTextExW 33699->33701 33702 7160e48 DrawTextExW 33699->33702 33700->33688 33701->33700 33702->33700 33704 7160ea6 33703->33704 33713 71612b0 33704->33713 33717 71612a0 33704->33717 33705 7160f1c 33705->33695 33709 7160e4d 33708->33709 33711 71612b0 DrawTextExW 33709->33711 33712 71612a0 DrawTextExW 33709->33712 33710 7160f1c 33710->33695 33711->33710 33712->33710 33721 71612f0 33713->33721 33726 71612e0 33713->33726 33714 71612ce 33714->33705 33718 71612ce 33717->33718 33719 71612f0 DrawTextExW 33717->33719 33720 71612e0 DrawTextExW 33717->33720 33718->33705 33719->33718 33720->33718 33722 7161321 33721->33722 33723 716134e 33722->33723 33731 7161366 33722->33731 33736 7161370 33722->33736 33723->33714 33727 7161321 33726->33727 33728 716134e 33727->33728 33729 7161366 DrawTextExW 33727->33729 33730 7161370 DrawTextExW 33727->33730 33728->33714 33729->33728 33730->33728 33733 7161391 33731->33733 33732 71613a6 33732->33723 33733->33732 33741 7160cac 33733->33741 33735 7161411 33738 7161391 33736->33738 33737 71613a6 33737->33723 33738->33737 33739 7160cac DrawTextExW 33738->33739 33740 7161411 33739->33740 33743 7160cb7 33741->33743 33742 7162fd9 33742->33735 33743->33742 33747 7163f60 33743->33747 33750 7163f4f 33743->33750 33744 71630ec 33744->33735 33748 7163f7d 33747->33748 33754 716329c 33747->33754 33748->33744 33751 7163f6a 33750->33751 33752 716329c DrawTextExW 33751->33752 33753 7163f7d 33752->33753 33753->33744 33755 7163f98 DrawTextExW 33754->33755 33757 716403e 33755->33757 33757->33748 33779 72b8182 33783 72b87af 33779->33783 33799 72b87b0 33779->33799 33780 72b7e11 33784 72b87ca 33783->33784 33815 72b8e65 33784->33815 33823 72b8f25 33784->33823 33828 72b8f66 33784->33828 33832 72b8dc7 33784->33832 33837 72b8be7 33784->33837 33842 72b924e 33784->33842 33847 72b90cf 33784->33847 33852 72b8bf5 33784->33852 33857 72b8cd6 33784->33857 33861 72b8c17 33784->33861 33868 72b8d70 33784->33868 33872 72b9318 33784->33872 33877 72b8ca4 33784->33877 33785 72b87d2 33785->33780 33800 72b87ca 33799->33800 33802 72b90cf 2 API calls 33800->33802 33803 72b924e 2 API calls 33800->33803 33804 72b8be7 2 API calls 33800->33804 33805 72b8dc7 2 API calls 33800->33805 33806 72b8f66 2 API calls 33800->33806 33807 72b8f25 2 API calls 33800->33807 33808 72b8e65 4 API calls 33800->33808 33809 72b8ca4 2 API calls 33800->33809 33810 72b9318 2 API calls 33800->33810 33811 72b8d70 2 API calls 33800->33811 33812 72b8c17 2 API calls 33800->33812 33813 72b8cd6 2 API calls 33800->33813 33814 72b8bf5 2 API calls 33800->33814 33801 72b87d2 33801->33780 33802->33801 33803->33801 33804->33801 33805->33801 33806->33801 33807->33801 33808->33801 33809->33801 33810->33801 33811->33801 33812->33801 33813->33801 33814->33801 33889 72b76b8 33815->33889 33893 72b76b0 33815->33893 33816 72b92e7 33816->33785 33817 72b8de5 33817->33816 33881 72b7778 33817->33881 33885 72b7771 33817->33885 33818 72b8ca8 33818->33785 33824 72b9563 33823->33824 33897 72b75d8 33824->33897 33901 72b75e0 33824->33901 33825 72b957e 33829 72b8f6c 33828->33829 33905 72b7868 33829->33905 33909 72b7860 33829->33909 33833 72b8dcd 33832->33833 33835 72b7778 WriteProcessMemory 33833->33835 33836 72b7771 WriteProcessMemory 33833->33836 33834 72b8ca8 33834->33785 33835->33834 33836->33834 33838 72b8bf1 33837->33838 33838->33837 33839 72b9734 33838->33839 33913 72b7a00 33838->33913 33917 72b79f5 33838->33917 33839->33785 33843 72b9271 33842->33843 33845 72b7778 WriteProcessMemory 33843->33845 33846 72b7771 WriteProcessMemory 33843->33846 33844 72b9501 33845->33844 33846->33844 33848 72b90d5 33847->33848 33921 72b70f8 33848->33921 33925 72b70f1 33848->33925 33849 72b93eb 33853 72b8be7 33852->33853 33854 72b9734 33853->33854 33855 72b7a00 CreateProcessA 33853->33855 33856 72b79f5 CreateProcessA 33853->33856 33854->33785 33855->33853 33856->33853 33858 72b8cc1 33857->33858 33859 72b7868 ReadProcessMemory 33858->33859 33860 72b7860 ReadProcessMemory 33858->33860 33859->33858 33860->33858 33864 72b7a00 CreateProcessA 33861->33864 33865 72b79f5 CreateProcessA 33861->33865 33862 72b8be7 33863 72b9734 33862->33863 33866 72b7a00 CreateProcessA 33862->33866 33867 72b79f5 CreateProcessA 33862->33867 33863->33785 33864->33862 33865->33862 33866->33862 33867->33862 33870 72b7778 WriteProcessMemory 33868->33870 33871 72b7771 WriteProcessMemory 33868->33871 33869 72b8d94 33869->33785 33870->33869 33871->33869 33873 72b9428 33872->33873 33875 72b75d8 Wow64SetThreadContext 33873->33875 33876 72b75e0 Wow64SetThreadContext 33873->33876 33874 72b9443 33875->33874 33876->33874 33878 72b8cad 33877->33878 33879 72b7868 ReadProcessMemory 33878->33879 33880 72b7860 ReadProcessMemory 33878->33880 33879->33878 33880->33878 33882 72b77c0 WriteProcessMemory 33881->33882 33884 72b7817 33882->33884 33884->33818 33886 72b77c0 WriteProcessMemory 33885->33886 33888 72b7817 33886->33888 33888->33818 33890 72b76f8 VirtualAllocEx 33889->33890 33892 72b7735 33890->33892 33892->33817 33894 72b76b8 VirtualAllocEx 33893->33894 33896 72b7735 33894->33896 33896->33817 33898 72b75e0 Wow64SetThreadContext 33897->33898 33900 72b766d 33898->33900 33900->33825 33902 72b7625 Wow64SetThreadContext 33901->33902 33904 72b766d 33902->33904 33904->33825 33906 72b78b3 ReadProcessMemory 33905->33906 33908 72b78f7 33906->33908 33908->33829 33910 72b78b3 ReadProcessMemory 33909->33910 33912 72b78f7 33910->33912 33912->33829 33914 72b7a89 CreateProcessA 33913->33914 33916 72b7c4b 33914->33916 33918 72b7a01 CreateProcessA 33917->33918 33920 72b7c4b 33918->33920 33922 72b7138 ResumeThread 33921->33922 33924 72b7169 33922->33924 33924->33849 33926 72b70f8 ResumeThread 33925->33926 33928 72b7169 33926->33928 33928->33849 33758 2354668 33759 235467a 33758->33759 33760 2354686 33759->33760 33762 2354779 33759->33762 33763 235479d 33762->33763 33767 2354878 33763->33767 33771 2354888 33763->33771 33769 23548af 33767->33769 33768 235498c 33768->33768 33769->33768 33775 23544b0 33769->33775 33772 23548af 33771->33772 33773 23544b0 CreateActCtxA 33772->33773 33774 235498c 33772->33774 33773->33774 33776 2355918 CreateActCtxA 33775->33776 33778 23559db 33776->33778

                                                                                                                              Executed Functions

                                                                                                                              Function 0716AA60 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 295 716aa60-716aa81 296 716aa83 295->296 297 716aa88-716ab74 295->297 296->297 299 716b3a3-716b3cb 297->299 300 716ab7a-716acce 297->300 303 716baac-716bab5 299->303 344 716acd4-716ad2f 300->344 345 716b371-716b3a1 300->345 305 716babb-716bad2 303->305 306 716b3d9-716b3e2 303->306 307 716b3e4 306->307 308 716b3e9-716b4dd 306->308 307->308 326 716b507 308->326 327 716b4df-716b4eb 308->327 331 716b50d-716b52d 326->331 329 716b4f5-716b4fb 327->329 330 716b4ed-716b4f3 327->330 332 716b505 329->332 330->332 335 716b52f-716b55d 331->335 336 716b58d-716b605 331->336 332->331 343 716b569-716b588 335->343 356 716b607-716b65a 336->356 357 716b65c-716b69f 336->357 348 716baa9 343->348 351 716ad34-716ad3f 344->351 352 716ad31 344->352 345->299 348->303 355 716b283-716b289 351->355 352->351 358 716ad44-716ad62 355->358 359 716b28f-716b30c 355->359 384 716b6aa-716b6b0 356->384 357->384 362 716ad64-716ad68 358->362 363 716adb9-716adce 358->363 400 716b35b-716b361 359->400 362->363 365 716ad6a-716ad75 362->365 368 716add5-716adeb 363->368 369 716add0 363->369 373 716adab-716adb1 365->373 370 716adf2-716ae09 368->370 371 716aded 368->371 369->368 375 716ae10-716ae26 370->375 376 716ae0b 370->376 371->370 377 716ad77-716ad7b 373->377 378 716adb3-716adb4 373->378 382 716ae2d-716ae34 375->382 383 716ae28 375->383 376->375 380 716ad81-716ad99 377->380 381 716ad7d 377->381 385 716ae37-716aea8 378->385 387 716ada0-716ada8 380->387 388 716ad9b 380->388 381->380 382->385 383->382 389 716b707-716b713 384->389 390 716aebe-716b036 385->390 391 716aeaa 385->391 387->373 388->387 393 716b715-716b79b 389->393 394 716b6b2-716b6d4 389->394 402 716b04c-716b187 390->402 403 716b038 390->403 391->390 395 716aeac-716aeb8 391->395 424 716b920-716b929 393->424 397 716b6d6 394->397 398 716b6db-716b704 394->398 395->390 397->398 398->389 405 716b363-716b369 400->405 406 716b30e-716b358 400->406 414 716b1eb-716b200 402->414 415 716b189-716b18d 402->415 403->402 404 716b03a-716b046 403->404 404->402 405->345 406->400 417 716b207-716b228 414->417 418 716b202 414->418 415->414 419 716b18f-716b19e 415->419 421 716b22f-716b24e 417->421 422 716b22a 417->422 418->417 423 716b1dd-716b1e3 419->423 428 716b255-716b275 421->428 429 716b250 421->429 422->421 430 716b1e5-716b1e6 423->430 431 716b1a0-716b1a4 423->431 426 716b7a0-716b7b5 424->426 427 716b92f-716b988 424->427 435 716b7b7 426->435 436 716b7be-716b914 426->436 453 716b9bf-716b9e9 427->453 454 716b98a-716b9bd 427->454 437 716b277 428->437 438 716b27c 428->438 429->428 432 716b280 430->432 433 716b1a6-716b1aa 431->433 434 716b1ae-716b1cf 431->434 432->355 433->434 440 716b1d6-716b1da 434->440 441 716b1d1 434->441 435->436 442 716b7c4-716b804 435->442 443 716b893-716b8d3 435->443 444 716b84e-716b88e 435->444 445 716b809-716b849 435->445 456 716b91a 436->456 437->438 438->432 440->423 441->440 442->456 443->456 444->456 445->456 462 716b9f2-716ba9d 453->462 454->462 456->424 462->348
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$TJcq$Te^q$pbq$xbaq
                                                                                                                              • API String ID: 0-2576840827
                                                                                                                              • Opcode ID: 3adcd262ee96740523ec0e44081cdd4442aef89251351e1b938b4603031defbb
                                                                                                                              • Instruction ID: 9cf7b692af5a3c110aa2909d52b642a5f757a1dfcfb12389ec42b6b5ba28ac3d
                                                                                                                              • Opcode Fuzzy Hash: 3adcd262ee96740523ec0e44081cdd4442aef89251351e1b938b4603031defbb
                                                                                                                              • Instruction Fuzzy Hash: 40B2D6B5E00228CFDB64CF69C984AD9BBB2FF89304F1581E5D509AB265DB319E91CF40
                                                                                                                              Function 072BAA30 Relevance: .6, Instructions: 631COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c9268c54c80042a6ba1902e9e0739fd29ba4c02e01a3ed4b66a90a135493ba3
                                                                                                                              • Instruction ID: a4d89ec9da349b0bf96983ee3c83a927655fe4007ed98eeeef3bb628694e7f9a
                                                                                                                              • Opcode Fuzzy Hash: 6c9268c54c80042a6ba1902e9e0739fd29ba4c02e01a3ed4b66a90a135493ba3
                                                                                                                              • Instruction Fuzzy Hash: 2132BBB0B112059FDB29DBB9C550BAEBBF7AF89340F148469E5059B3A0CB35ED01CB91
                                                                                                                              Function 0716D708 Relevance: .2, Instructions: 239COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c47f831ce583a63a9909d14f4f31b055e1779ba171301e41c668d5c6cf2a9810
                                                                                                                              • Instruction ID: e97b7e6b3ba2cb53cc413bdcb5748b2fc1eb09dcc0d805ac2dd4ad7dcb464bc1
                                                                                                                              • Opcode Fuzzy Hash: c47f831ce583a63a9909d14f4f31b055e1779ba171301e41c668d5c6cf2a9810
                                                                                                                              • Instruction Fuzzy Hash: 46A1F5B5E04228CFDF18CFA6D8487EDBBB6BF8A304F109069D449AB281DB745995CF41
                                                                                                                              Function 0716D6FA Relevance: .2, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9ba751b17276c2f4fbc8eac75786475810a14d359038086410a4f3f01817608d
                                                                                                                              • Instruction ID: f06e3b238a56eb60fbff00c0e2df8358593d12812dc51f73d00a7491eb9a803f
                                                                                                                              • Opcode Fuzzy Hash: 9ba751b17276c2f4fbc8eac75786475810a14d359038086410a4f3f01817608d
                                                                                                                              • Instruction Fuzzy Hash: 94A116B5E04229CFDF18CFA5E8487EDBBB2BF8A304F109069D449AB291DB345995CF41
                                                                                                                              Function 0716DCFE Relevance: .2, Instructions: 216COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a83121f2bf71ef01e9f8b10dc17635dce0743b09acc0367f2ba8c54beed37582
                                                                                                                              • Instruction ID: 11e74c51509683ae88e80a192e6a9c676ceba4ffe7601a8774fd47a2a7909a48
                                                                                                                              • Opcode Fuzzy Hash: a83121f2bf71ef01e9f8b10dc17635dce0743b09acc0367f2ba8c54beed37582
                                                                                                                              • Instruction Fuzzy Hash: B28103B4E19218CFCF18DFA9E4886EDBBF5BB4A300F15915AD449AB382D7309991CF50
                                                                                                                              Function 0716DC22 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ad2ddf1c7eb8672ee1b58fa4fc2d73e3dfa5b568350ec469912c1b95fbae84bb
                                                                                                                              • Instruction ID: 6739ebc69fddf2d66fc4221f44fa32b0c8cdc29c8d0eaf85bb0fe16c3cd70fc5
                                                                                                                              • Opcode Fuzzy Hash: ad2ddf1c7eb8672ee1b58fa4fc2d73e3dfa5b568350ec469912c1b95fbae84bb
                                                                                                                              • Instruction Fuzzy Hash: 9B31A6B5E046188BDB18CFABD84469EFBF3AFC8300F14C16AD858AB255DB7459428F50
                                                                                                                              Function 0716DC28 Relevance: .1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1a22ae2d47ab31f4947d688f75910e6aaca8279a6eb0d1f15c004a4c0e195b81
                                                                                                                              • Instruction ID: c0c43c548eae818d3f9f8a7835d7ae6a4be771dea70556a3e3fab17107c6a644
                                                                                                                              • Opcode Fuzzy Hash: 1a22ae2d47ab31f4947d688f75910e6aaca8279a6eb0d1f15c004a4c0e195b81
                                                                                                                              • Instruction Fuzzy Hash: 9131A5B5E046188BEB18CFABD84469EFAF3BFC8300F14C16AD458AB265EB745941CF50
                                                                                                                              Function 072B79F5 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 489 72b79f5-72b7a95 492 72b7ace-72b7aee 489->492 493 72b7a97-72b7aa1 489->493 500 72b7af0-72b7afa 492->500 501 72b7b27-72b7b56 492->501 493->492 494 72b7aa3-72b7aa5 493->494 495 72b7ac8-72b7acb 494->495 496 72b7aa7-72b7ab1 494->496 495->492 498 72b7ab3 496->498 499 72b7ab5-72b7ac4 496->499 498->499 499->499 503 72b7ac6 499->503 500->501 502 72b7afc-72b7afe 500->502 509 72b7b58-72b7b62 501->509 510 72b7b8f-72b7c49 CreateProcessA 501->510 504 72b7b21-72b7b24 502->504 505 72b7b00-72b7b0a 502->505 503->495 504->501 507 72b7b0e-72b7b1d 505->507 508 72b7b0c 505->508 507->507 511 72b7b1f 507->511 508->507 509->510 512 72b7b64-72b7b66 509->512 521 72b7c4b-72b7c51 510->521 522 72b7c52-72b7cd8 510->522 511->504 514 72b7b89-72b7b8c 512->514 515 72b7b68-72b7b72 512->515 514->510 516 72b7b76-72b7b85 515->516 517 72b7b74 515->517 516->516 519 72b7b87 516->519 517->516 519->514 521->522 532 72b7cda-72b7cde 522->532 533 72b7ce8-72b7cec 522->533 532->533 534 72b7ce0 532->534 535 72b7cee-72b7cf2 533->535 536 72b7cfc-72b7d00 533->536 534->533 535->536 537 72b7cf4 535->537 538 72b7d02-72b7d06 536->538 539 72b7d10-72b7d14 536->539 537->536 538->539 542 72b7d08 538->542 540 72b7d26-72b7d2d 539->540 541 72b7d16-72b7d1c 539->541 543 72b7d2f-72b7d3e 540->543 544 72b7d44 540->544 541->540 542->539 543->544 546 72b7d45 544->546 546->546
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B7C36
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: 09a873c2de12d13f085124bd1da0d3e35ac0b038d0e2b4f3f5e255249fde2cd0
                                                                                                                              • Instruction ID: 63fd7970dbd4d4bb0bcd2c3bce01f87c483a454666a0ac94937fea22601f286e
                                                                                                                              • Opcode Fuzzy Hash: 09a873c2de12d13f085124bd1da0d3e35ac0b038d0e2b4f3f5e255249fde2cd0
                                                                                                                              • Instruction Fuzzy Hash: 1F916CB1D1021ADFDB20CF68C841BEDBBB2BF84354F1485AAD848A7340DB749985CF92
                                                                                                                              Function 072B7A00 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 547 72b7a00-72b7a95 549 72b7ace-72b7aee 547->549 550 72b7a97-72b7aa1 547->550 557 72b7af0-72b7afa 549->557 558 72b7b27-72b7b56 549->558 550->549 551 72b7aa3-72b7aa5 550->551 552 72b7ac8-72b7acb 551->552 553 72b7aa7-72b7ab1 551->553 552->549 555 72b7ab3 553->555 556 72b7ab5-72b7ac4 553->556 555->556 556->556 560 72b7ac6 556->560 557->558 559 72b7afc-72b7afe 557->559 566 72b7b58-72b7b62 558->566 567 72b7b8f-72b7c49 CreateProcessA 558->567 561 72b7b21-72b7b24 559->561 562 72b7b00-72b7b0a 559->562 560->552 561->558 564 72b7b0e-72b7b1d 562->564 565 72b7b0c 562->565 564->564 568 72b7b1f 564->568 565->564 566->567 569 72b7b64-72b7b66 566->569 578 72b7c4b-72b7c51 567->578 579 72b7c52-72b7cd8 567->579 568->561 571 72b7b89-72b7b8c 569->571 572 72b7b68-72b7b72 569->572 571->567 573 72b7b76-72b7b85 572->573 574 72b7b74 572->574 573->573 576 72b7b87 573->576 574->573 576->571 578->579 589 72b7cda-72b7cde 579->589 590 72b7ce8-72b7cec 579->590 589->590 591 72b7ce0 589->591 592 72b7cee-72b7cf2 590->592 593 72b7cfc-72b7d00 590->593 591->590 592->593 594 72b7cf4 592->594 595 72b7d02-72b7d06 593->595 596 72b7d10-72b7d14 593->596 594->593 595->596 599 72b7d08 595->599 597 72b7d26-72b7d2d 596->597 598 72b7d16-72b7d1c 596->598 600 72b7d2f-72b7d3e 597->600 601 72b7d44 597->601 598->597 599->596 600->601 603 72b7d45 601->603 603->603
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 072B7C36
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: f22b6efa8714ba9484e52ff9e9daecdbd08ce3424a3c2460efa9262178ae139b
                                                                                                                              • Instruction ID: 97562483fcf23433a24a7ab45c5f105b477407a739b30c59e25661fe7776fda1
                                                                                                                              • Opcode Fuzzy Hash: f22b6efa8714ba9484e52ff9e9daecdbd08ce3424a3c2460efa9262178ae139b
                                                                                                                              • Instruction Fuzzy Hash: 6E916EB1D1021ADFDB20CF68C841BEDBBB2BF84354F1485AAD849A7350DB749985CF92
                                                                                                                              Function 0235AE28 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 604 235ae28-235ae37 605 235ae63-235ae67 604->605 606 235ae39-235ae46 call 235a14c 604->606 607 235ae69-235ae73 605->607 608 235ae7b-235aebc 605->608 613 235ae5c 606->613 614 235ae48 606->614 607->608 615 235aebe-235aec6 608->615 616 235aec9-235aed7 608->616 613->605 661 235ae4e call 235b0b0 614->661 662 235ae4e call 235b0c0 614->662 615->616 617 235aed9-235aede 616->617 618 235aefb-235aefd 616->618 621 235aee0-235aee7 call 235a158 617->621 622 235aee9 617->622 620 235af00-235af07 618->620 619 235ae54-235ae56 619->613 623 235af98-235afaf 619->623 624 235af14-235af1b 620->624 625 235af09-235af11 620->625 627 235aeeb-235aef9 621->627 622->627 637 235afb1-235b010 623->637 628 235af1d-235af25 624->628 629 235af28-235af31 call 235a168 624->629 625->624 627->620 628->629 635 235af33-235af3b 629->635 636 235af3e-235af43 629->636 635->636 638 235af45-235af4c 636->638 639 235af61-235af6e 636->639 655 235b012-235b058 637->655 638->639 640 235af4e-235af5e call 235a178 call 235a188 638->640 644 235af91-235af97 639->644 645 235af70-235af8e 639->645 640->639 645->644 656 235b060-235b08b GetModuleHandleW 655->656 657 235b05a-235b05d 655->657 658 235b094-235b0a8 656->658 659 235b08d-235b093 656->659 657->656 659->658 661->619 662->619
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0235B07E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: fe65c21f596b3cccc3123b28d932cf7bd93f2a012df844b8f0b5ec504174c9b0
                                                                                                                              • Instruction ID: 6f9b424fdd1ce0aab9c1b23436b6e970d5f4c0f7b8850afa80f9b8d4187e51e7
                                                                                                                              • Opcode Fuzzy Hash: fe65c21f596b3cccc3123b28d932cf7bd93f2a012df844b8f0b5ec504174c9b0
                                                                                                                              • Instruction Fuzzy Hash: 397148B0A00B158FD724DF29D450B5ABBF1FF88304F008A2DD88AD7A50DB35E949CB90
                                                                                                                              Function 07163238 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 663 7163238-7163240 665 7163242-7163dee call 71622fc call 7163274 663->665 666 7163299-7163fe4 663->666 669 7163fe6-7163fec 666->669 670 7163fef-7163ffe 666->670 669->670 671 7164003-716403c DrawTextExW 670->671 672 7164000 670->672 674 7164045-7164062 671->674 675 716403e-7164044 671->675 672->671 675->674
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07163F7D,?,?), ref: 0716402F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 7491e2c7f56cee081e1808ce6ee35697ba035a21a3db947ab611688609386630
                                                                                                                              • Instruction ID: de7612a6034349b13d23daecbf3afdddb77543ac67486aa3abbee6081f2762c8
                                                                                                                              • Opcode Fuzzy Hash: 7491e2c7f56cee081e1808ce6ee35697ba035a21a3db947ab611688609386630
                                                                                                                              • Instruction Fuzzy Hash: 193169B19002599FCB11DF99D844AEEFFF9EF49314F14806EE415E7250C770A951CBA4
                                                                                                                              Function 023544B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 682 23544b0-23559d9 CreateActCtxA 685 23559e2-2355a3c 682->685 686 23559db-23559e1 682->686 693 2355a3e-2355a41 685->693 694 2355a4b-2355a4f 685->694 686->685 693->694 695 2355a51-2355a5d 694->695 696 2355a60 694->696 695->696 698 2355a61 696->698 698->698
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 023559C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: f5bf5e904a7f071b974ac90571b9d256aceb691950ec2cc035ebdd54284f963e
                                                                                                                              • Instruction ID: e3706997ded460a06d30e778839962a32366827b60adefe876b50ba2d1449c3c
                                                                                                                              • Opcode Fuzzy Hash: f5bf5e904a7f071b974ac90571b9d256aceb691950ec2cc035ebdd54284f963e
                                                                                                                              • Instruction Fuzzy Hash: 3D41D1B0C00729CBDB24DFA9C884B9EBBF5BF48304F64806AD408AB255DB756945CF90
                                                                                                                              Function 0235590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 699 235590c-235590f 700 235591c-23559d9 CreateActCtxA 699->700 702 23559e2-2355a3c 700->702 703 23559db-23559e1 700->703 710 2355a3e-2355a41 702->710 711 2355a4b-2355a4f 702->711 703->702 710->711 712 2355a51-2355a5d 711->712 713 2355a60 711->713 712->713 715 2355a61 713->715 715->715
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 023559C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 7e938e5f307dc91f7eaad0b9eb893705d433c3b6f768c1e8e6abf7ffbad41151
                                                                                                                              • Instruction ID: 1b1f7f280159e89b59fe6e350705afb6c5f179c9a950b407fce65740e8163e87
                                                                                                                              • Opcode Fuzzy Hash: 7e938e5f307dc91f7eaad0b9eb893705d433c3b6f768c1e8e6abf7ffbad41151
                                                                                                                              • Instruction Fuzzy Hash: 5E41D1B1D00619CFDB24DFA9C884BDDBBB5BF48304F2480AAD408AB255DB756949CF90
                                                                                                                              Function 07163290 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 716 7163290-7163fe4 720 7163fe6-7163fec 716->720 721 7163fef-7163ffe 716->721 720->721 722 7164003-716403c DrawTextExW 721->722 723 7164000 721->723 724 7164045-7164062 722->724 725 716403e-7164044 722->725 723->722 725->724
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07163F7D,?,?), ref: 0716402F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: a2aa4230f58f9be07661d702e0ee71ef2d27fe9a86bd637bb04e38f8c8915186
                                                                                                                              • Instruction ID: 49278987472b81809dc44688a1dc278fc0dcb3b241412904a00346ddc463d839
                                                                                                                              • Opcode Fuzzy Hash: a2aa4230f58f9be07661d702e0ee71ef2d27fe9a86bd637bb04e38f8c8915186
                                                                                                                              • Instruction Fuzzy Hash: 453134B59003599FCB11DF99D884AEEFFF5EF48314F14806AE859A7250C770A940CFA0
                                                                                                                              Function 0716329C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 728 716329c-7163fe4 730 7163fe6-7163fec 728->730 731 7163fef-7163ffe 728->731 730->731 732 7164003-716403c DrawTextExW 731->732 733 7164000 731->733 734 7164045-7164062 732->734 735 716403e-7164044 732->735 733->732 735->734
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07163F7D,?,?), ref: 0716402F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 5819ff69b08e7eae1c00b36fd9a1bae8f26a83782f7ed88ecea69120adc751f1
                                                                                                                              • Instruction ID: a5f0fdbb6b85a56d16742937d4e4ea76d923f6b11578f23393217f737f5fe423
                                                                                                                              • Opcode Fuzzy Hash: 5819ff69b08e7eae1c00b36fd9a1bae8f26a83782f7ed88ecea69120adc751f1
                                                                                                                              • Instruction Fuzzy Hash: D33103B5D003099FDB10CF9AD884AEEFBF4FB48310F14842AE819A7250D374A950CFA0
                                                                                                                              Function 072B7771 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 738 72b7771-72b77c6 740 72b77c8-72b77d4 738->740 741 72b77d6-72b7815 WriteProcessMemory 738->741 740->741 743 72b781e-72b784e 741->743 744 72b7817-72b781d 741->744 744->743
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B7808
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: cf7331442b509f1dc8ed0f0f90d2ce0ffdeac2a007f39f287794a78e3ffd3094
                                                                                                                              • Instruction ID: 26a608ce2fd015fae358ca23297279f2c4d5e49688c6de1aa834e469beb71f1e
                                                                                                                              • Opcode Fuzzy Hash: cf7331442b509f1dc8ed0f0f90d2ce0ffdeac2a007f39f287794a78e3ffd3094
                                                                                                                              • Instruction Fuzzy Hash: 5D2146B19002599FCF10CFA9C884BDEBBF1FF88310F10842AE958A7340C7789944CBA4
                                                                                                                              Function 07163F90 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 748 7163f90-7163fe4 749 7163fe6-7163fec 748->749 750 7163fef-7163ffe 748->750 749->750 751 7164003-716403c DrawTextExW 750->751 752 7164000 750->752 753 7164045-7164062 751->753 754 716403e-7164044 751->754 752->751 754->753
                                                                                                                              APIs
                                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07163F7D,?,?), ref: 0716402F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DrawText
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2175133113-0
                                                                                                                              • Opcode ID: 2797cfd3a166a4dd3ca93b487eea8281ee36244c2ce147f99d4580730613ff21
                                                                                                                              • Instruction ID: 0dd6764342bd03f6808e3ca63aa634905532250d49693d3bd9e2a4e50b70049e
                                                                                                                              • Opcode Fuzzy Hash: 2797cfd3a166a4dd3ca93b487eea8281ee36244c2ce147f99d4580730613ff21
                                                                                                                              • Instruction Fuzzy Hash: E73114B5D002499FDB01CF99D4846DEFBF5FB48310F14842AE818A7250D334A540CFA0
                                                                                                                              Function 072B7778 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 757 72b7778-72b77c6 759 72b77c8-72b77d4 757->759 760 72b77d6-72b7815 WriteProcessMemory 757->760 759->760 762 72b781e-72b784e 760->762 763 72b7817-72b781d 760->763 763->762
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072B7808
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: 7bb66c0375859565468c71e0fb73437f780a5237c52069e3792c23a5ccf837ce
                                                                                                                              • Instruction ID: 21c7ca3b4d86a88631ed5490d6f6d927ffa2d70c52b297afcd3c5a79ba8517ea
                                                                                                                              • Opcode Fuzzy Hash: 7bb66c0375859565468c71e0fb73437f780a5237c52069e3792c23a5ccf837ce
                                                                                                                              • Instruction Fuzzy Hash: FA2136B19003599FDB10CFA9C885BEEBBF5FF88310F10842AE959A7350D7789944DBA4
                                                                                                                              Function 072B75D8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 767 72b75d8-72b762b 770 72b763b-72b766b Wow64SetThreadContext 767->770 771 72b762d-72b7639 767->771 773 72b766d-72b7673 770->773 774 72b7674-72b76a4 770->774 771->770 773->774
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B765E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: a5b94ab4ec86e4c4dd3c4a96c74b81a2a11bdb7fb7c70b53ba54c3ec55051190
                                                                                                                              • Instruction ID: fcb35c1b30ff8e4424b11081ccbf8d42677e8ecf457c153e86dbcd3a28777593
                                                                                                                              • Opcode Fuzzy Hash: a5b94ab4ec86e4c4dd3c4a96c74b81a2a11bdb7fb7c70b53ba54c3ec55051190
                                                                                                                              • Instruction Fuzzy Hash: 232139B19002099FDB10DFAAC4857EEBFF4EF88364F14842ED459A7240CB789985CFA5
                                                                                                                              Function 072B7860 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B78E8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: 896ea6250c49aec894081eba46d906570e2fe8e579b0ef2069f63025f92a15a6
                                                                                                                              • Instruction ID: c02398fbf44061c6c70443582605b375df81c4d36a5054fb18a3bbc269448b1a
                                                                                                                              • Opcode Fuzzy Hash: 896ea6250c49aec894081eba46d906570e2fe8e579b0ef2069f63025f92a15a6
                                                                                                                              • Instruction Fuzzy Hash: 742128B1D00259DFDB10DFA9C884AEEBBF5FF88310F10882AE558A7250C7789945DFA5
                                                                                                                              Function 0235D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0235D6D6,?,?,?,?,?), ref: 0235D797
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: a341164a083cb640dc74d3f3b51cf2a8502134169e0d649b6c67dd9c0eea1308
                                                                                                                              • Instruction ID: 4b14966cdb6134b228ec05178e52dd615a20ff62e571371edb7d5f6e2da33f56
                                                                                                                              • Opcode Fuzzy Hash: a341164a083cb640dc74d3f3b51cf2a8502134169e0d649b6c67dd9c0eea1308
                                                                                                                              • Instruction Fuzzy Hash: 7B21E5B5900258DFDB10CF9AD584ADEBBF4EB48310F14845AE918A7311D375A950CFA4
                                                                                                                              Function 072B75E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072B765E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: 46ccc62c9ade0e588241760bed09afabcfd302a1e73186cde06330b02261e4c2
                                                                                                                              • Instruction ID: 2eb2ec9359ddb1899648e9b35c98cd53a95e44d585e3fa28cf8baeaed68d6088
                                                                                                                              • Opcode Fuzzy Hash: 46ccc62c9ade0e588241760bed09afabcfd302a1e73186cde06330b02261e4c2
                                                                                                                              • Instruction Fuzzy Hash: 122107B19002099FDB10DFAAC485BEEBBF4EB88364F14842ED459A7240C7789945CFA5
                                                                                                                              Function 072B7868 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072B78E8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: 9a9030f8738e3f7118d596267ad304454ae0824cbf94ca6eae42644097ffb723
                                                                                                                              • Instruction ID: 3f62a23c841ef56d67b99bc246d9fc78733a05fbaac1b5ec6bf18fbe917464b6
                                                                                                                              • Opcode Fuzzy Hash: 9a9030f8738e3f7118d596267ad304454ae0824cbf94ca6eae42644097ffb723
                                                                                                                              • Instruction Fuzzy Hash: 332139B1D003599FDB10DFAAC840AEEFBF5FF88310F10842AE558A7250C7349544DBA5
                                                                                                                              Function 0235D709 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0235D6D6,?,?,?,?,?), ref: 0235D797
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: c8926fe2c8908201bf9bff29f6a9b4a32fb443b1fec6ed1a45c1409d742cc5f8
                                                                                                                              • Instruction ID: 8d1da3076a984586ae33ad0350dfb47d2393fc13e2923b189a86698554ecd599
                                                                                                                              • Opcode Fuzzy Hash: c8926fe2c8908201bf9bff29f6a9b4a32fb443b1fec6ed1a45c1409d742cc5f8
                                                                                                                              • Instruction Fuzzy Hash: 502112B5900218DFDB00CFA9D584ADEBBF4EB48324F14842AE918B3350C374AA40CFA1
                                                                                                                              Function 072B76B0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B7726
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: 06e02ab5554f769d0ddf78fa7ecdd774214a18614fa54b18d788456274e0a2d5
                                                                                                                              • Instruction ID: 43ae546d55b644438342f2df6d7f2fa48313d8befc3953b227acec4a0ca55d18
                                                                                                                              • Opcode Fuzzy Hash: 06e02ab5554f769d0ddf78fa7ecdd774214a18614fa54b18d788456274e0a2d5
                                                                                                                              • Instruction Fuzzy Hash: 931189B69002499FCB20DFA9C844ADFBFF5EF88320F10881AE455AB250C775A580CFA1
                                                                                                                              Function 072B76B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072B7726
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: 8f00726a6682756797c63ce59a4143515b574b9fbea8c6ab42fe36bc1e75c01e
                                                                                                                              • Instruction ID: f07d580a1f83d6a75899d5274a6b9c91213aa582b8e972a10514a673c089cb41
                                                                                                                              • Opcode Fuzzy Hash: 8f00726a6682756797c63ce59a4143515b574b9fbea8c6ab42fe36bc1e75c01e
                                                                                                                              • Instruction Fuzzy Hash: 231137B19002499FDB20DFAAC844BDFBFF5EF88320F10881AE559A7250C775A544CFA4
                                                                                                                              Function 072B70F1 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: 3c85f3d857ae25dd7624aaaa8230f055ab30de8ef5ab0f44c91284601509d144
                                                                                                                              • Instruction ID: 3a8a645a0fe53fd16b2d53cf2db24c5a7a4bb160fbbe680fd5fa55ad887727f9
                                                                                                                              • Opcode Fuzzy Hash: 3c85f3d857ae25dd7624aaaa8230f055ab30de8ef5ab0f44c91284601509d144
                                                                                                                              • Instruction Fuzzy Hash: F81158B19003498FDB20DFAAC4447EEFBF4EB88324F20841AD459A7350C735A944CBA4
                                                                                                                              Function 072B70F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: dc68ecfaac0b617d44cf775a8b9ee4669824bec3e2982537d6ef334a0d857ac3
                                                                                                                              • Instruction ID: bfe8895677917cee80062b4e15cf249667460413f3963e15d5bdb5c68eae6c10
                                                                                                                              • Opcode Fuzzy Hash: dc68ecfaac0b617d44cf775a8b9ee4669824bec3e2982537d6ef334a0d857ac3
                                                                                                                              • Instruction Fuzzy Hash: 9D1128B19002498BDB20DFAAC4457DEFBF5AB88324F20841AD459A7250C675A544CBA4
                                                                                                                              Function 0235B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0235B07E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 8e5e7b20d8bb152241d374ce4d88ecebb59c37e32684256ec8c071bd8aa4d09f
                                                                                                                              • Instruction ID: ab19bb9e122cb2cba5e18bae27b0bf0e3f17361b3d27c4107f1388124713f6b3
                                                                                                                              • Opcode Fuzzy Hash: 8e5e7b20d8bb152241d374ce4d88ecebb59c37e32684256ec8c071bd8aa4d09f
                                                                                                                              • Instruction Fuzzy Hash: 28110FB5D002598FDB20CF9AC444BDEFBF5AF88328F10846AD868A7210D379A545CFA1
                                                                                                                              Function 072B9C90 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 072B9CF5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 3c8c8b673114e158be6b15be9bcd90add156bf36c68b1809784a70cc462e2eeb
                                                                                                                              • Instruction ID: d2735a35123c5ddb98839f63fa5d8275110de8f0df4f486a4ef3f88dc3ef5561
                                                                                                                              • Opcode Fuzzy Hash: 3c8c8b673114e158be6b15be9bcd90add156bf36c68b1809784a70cc462e2eeb
                                                                                                                              • Instruction Fuzzy Hash: 3C11F5B5900249DFDB11DFAAC884BDEBFF8EB48314F208459E994A7210C375A584CFA1
                                                                                                                              Function 072B42A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 072B9CF5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: e0afb9cfd7064bd5f543a7f1a2e5067eacbc3c3e75bcee388a2d8f51a7718cf1
                                                                                                                              • Instruction ID: ee87c5e352b5862de3b2948436c0edf8c0eff1e6d752acd71500830d59b81b7d
                                                                                                                              • Opcode Fuzzy Hash: e0afb9cfd7064bd5f543a7f1a2e5067eacbc3c3e75bcee388a2d8f51a7718cf1
                                                                                                                              • Instruction Fuzzy Hash: 321115B5900349DFDB20DF9AC488BDEFBF8EB48324F108459E958A7210C375A984CFA5
                                                                                                                              Function 0095D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d4d20d6b2e6210944d8c1b007b071bee3874d8d86e944b21c5a01dd262108183
                                                                                                                              • Instruction ID: 715c8a6f779e2d5eb389b8f7d5d84ab78c6faa4f4e059c69a7107e00bf626c58
                                                                                                                              • Opcode Fuzzy Hash: d4d20d6b2e6210944d8c1b007b071bee3874d8d86e944b21c5a01dd262108183
                                                                                                                              • Instruction Fuzzy Hash: FD213A71500204DFDB15DF15D9C0B26BF69FB94315F20C569DD094F2A6C33AE85AC7A2
                                                                                                                              Function 0095D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9856988c26afb5dcd2db822d9b069efb22f1014a8eb50071ef15147332477c2d
                                                                                                                              • Instruction ID: 2db1f6e87a1c7e9918273893fa7e5ff19455e4fe443e9f6e5d643d04834871bb
                                                                                                                              • Opcode Fuzzy Hash: 9856988c26afb5dcd2db822d9b069efb22f1014a8eb50071ef15147332477c2d
                                                                                                                              • Instruction Fuzzy Hash: 20214271500200DFCB21DF14D9C0B2ABF69FB98319F20C569EC090B25AC33AD84ACBA2
                                                                                                                              Function 0096D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689382820.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_96d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0e93de11f992f0901152e91a354f186878184f20ed543c26db6cd46cdf35bdd1
                                                                                                                              • Instruction ID: 28409b27354ad64a7591bb75ae880ea015fec6cd458db2062809bd65be9d0ca6
                                                                                                                              • Opcode Fuzzy Hash: 0e93de11f992f0901152e91a354f186878184f20ed543c26db6cd46cdf35bdd1
                                                                                                                              • Instruction Fuzzy Hash: DF213B71B04200DFDB05DF14D5D0B26BBA5FB84314F24C96DD8294B355C33AD846CB61
                                                                                                                              Function 0096D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689382820.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_96d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 37c319060913a7df879c2184356c5d57a782bbfc98279b0e42757902444e00b4
                                                                                                                              • Instruction ID: bee8a7eef39750778e0e68b437a53049fd46eb7950d30e9f8ead4dacc1c9d91f
                                                                                                                              • Opcode Fuzzy Hash: 37c319060913a7df879c2184356c5d57a782bbfc98279b0e42757902444e00b4
                                                                                                                              • Instruction Fuzzy Hash: 33210475A04240DFDB14DF14D9C4B26BFA9FB88314F24C96DE81A4B296C33BD847CAA1
                                                                                                                              Function 0096D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689382820.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_96d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2bb6adb97a9833e5b680fa73ab8f8c55c3f2515400a10d65a782b70c07f27dfc
                                                                                                                              • Instruction ID: e0a0df9807eeba5b961e92576d0af33683925a428db141637dda9c16d2ef58f3
                                                                                                                              • Opcode Fuzzy Hash: 2bb6adb97a9833e5b680fa73ab8f8c55c3f2515400a10d65a782b70c07f27dfc
                                                                                                                              • Instruction Fuzzy Hash: 99215E755093808FDB12CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                                                              Function 0095D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction ID: 71c9f14c08fefb632ecbadb9daf1546b8868ddb37a361d36aff27b5658f12bc1
                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction Fuzzy Hash: 18110372404240CFDB16CF00D5C4B16BF72FB94324F24C2A9DC090B266C33AE85ACBA1
                                                                                                                              Function 0095D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction ID: a4054b9ab832bf5919886f06b2a44e348a4f9d9efe6536363ff6181a8965a46a
                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction Fuzzy Hash: E311D376504280CFDB16CF14D5C4B16BF71FB94318F24C6A9EC490B65AC336D85ACBA1
                                                                                                                              Function 0096D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689382820.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_96d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                              • Instruction ID: 8432118ae69ce0044033ea4c39057e7565ce871f9738aadefd38b047e8a4aba0
                                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                              • Instruction Fuzzy Hash: 9D11BB75A04280DFDB12CF10C5D4B15BBA1FB84314F28C6AAD8594B296C33AD84ACB61
                                                                                                                              Function 0095D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 142286c2997f34db143d4a682de25af3201eb49dab0e4a1f60e3a4a3276536cb
                                                                                                                              • Instruction ID: fd186daf2b084f85a8d2ac9850e40bbe342df8720a642045ae1e41a0d9d4eb17
                                                                                                                              • Opcode Fuzzy Hash: 142286c2997f34db143d4a682de25af3201eb49dab0e4a1f60e3a4a3276536cb
                                                                                                                              • Instruction Fuzzy Hash: 8D01F7B100A3409AE720CE26CD84B67BF9CDF49325F18C96AED084A286D2399844CB71
                                                                                                                              Function 0095D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689333431.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_95d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 383f51784551eddb8e25705eafc7aa9024f5755e6c0d8cdf7142cade9facd473
                                                                                                                              • Instruction ID: 56ad49d1c2fccd5b1cfbc2d2813fee5a68d1df7f2ecd4b21ecf0b49c5d15f9c9
                                                                                                                              • Opcode Fuzzy Hash: 383f51784551eddb8e25705eafc7aa9024f5755e6c0d8cdf7142cade9facd473
                                                                                                                              • Instruction Fuzzy Hash: ECF06271405344AEF7208E16D888B62FFACEB95735F18C45AED084A286C2799844CBB1

                                                                                                                              Non-executed Functions

                                                                                                                              Function 0716AA4F Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: TJcq$Te^q$xbaq
                                                                                                                              • API String ID: 0-3225726259
                                                                                                                              • Opcode ID: 74c04299ee742813d154b2237c94ae826b3ff68dbe5b5d50502cd04ab4354407
                                                                                                                              • Instruction ID: c4f58a9fda94f80d683aeb6c91a0210dea0d7740b418df00034992ef81dd8d0b
                                                                                                                              • Opcode Fuzzy Hash: 74c04299ee742813d154b2237c94ae826b3ff68dbe5b5d50502cd04ab4354407
                                                                                                                              • Instruction Fuzzy Hash: EFC183B5E006188FDB18DF6AD944ADDBBF2BF88301F14C0A9D809AB364DB305E858F50
                                                                                                                              Function 072B68D0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: []tf
                                                                                                                              • API String ID: 0-3064894147
                                                                                                                              • Opcode ID: f1d2d77e23bd4c9ff150b73655c90db7cf6e5425562713630e3fbf29db83f67a
                                                                                                                              • Instruction ID: 65baaf4375da263c60e064b6eaf4ac360140704166e535b02f2a93d7192206ef
                                                                                                                              • Opcode Fuzzy Hash: f1d2d77e23bd4c9ff150b73655c90db7cf6e5425562713630e3fbf29db83f67a
                                                                                                                              • Instruction Fuzzy Hash: 0FE1D8B4E102598FCB14DFA9C5809AEFBF2FF89304F248169D415AB356D731A982CF61
                                                                                                                              Function 0716A7B8 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q
                                                                                                                              • API String ID: 0-1614139903
                                                                                                                              • Opcode ID: e94559ff730f60cf35fc322df76b0acc85eddbc04387e24c69c47683f8bac19e
                                                                                                                              • Instruction ID: 823b7cbc0dde5e5ea7530716a703c91b91eff0971011b33d8108bc1a683d365b
                                                                                                                              • Opcode Fuzzy Hash: e94559ff730f60cf35fc322df76b0acc85eddbc04387e24c69c47683f8bac19e
                                                                                                                              • Instruction Fuzzy Hash: 2B612D74A016499FD708EF7AE94169ABBF3FBC8304F14C529D018AB279EB34594ADB40
                                                                                                                              Function 0716A7C8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692465819.0000000007160000.00000040.00000800.00020000.00000000.sdmp, Offset: 07160000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7160000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q
                                                                                                                              • API String ID: 0-1614139903
                                                                                                                              • Opcode ID: 710c2a346ec339bdcea07cf97180a0585b5c1c3ebe77d3a5ca0e5bb256c51ad0
                                                                                                                              • Instruction ID: d1d46f9e83033d3467b8829411ea5229b15c9bae2812c020d62c3fbc34ce0988
                                                                                                                              • Opcode Fuzzy Hash: 710c2a346ec339bdcea07cf97180a0585b5c1c3ebe77d3a5ca0e5bb256c51ad0
                                                                                                                              • Instruction Fuzzy Hash: 70611D70E016499FD708EF7AE94169ABBF3FBC8304F14D529D0149B278EB74590ADB40
                                                                                                                              Function 072B4D91 Relevance: .3, Instructions: 338COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 925caead7c809d1146abdc12326b22ab59c18dec17f1584defe4101a7e6b6487
                                                                                                                              • Instruction ID: cb4fc204f5525c544968c9544e3dee4662d3c079b4692811ba6228830b4780a9
                                                                                                                              • Opcode Fuzzy Hash: 925caead7c809d1146abdc12326b22ab59c18dec17f1584defe4101a7e6b6487
                                                                                                                              • Instruction Fuzzy Hash: 87E1FAB4E102598FCB14DFA9C5809AEFBF2FF89304F249169E414AB356D731A942CF61
                                                                                                                              Function 072B5630 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 33a351c63a98506cade1041847ba6dd3c9ffc1372cf75c6c11692fd971b9abe2
                                                                                                                              • Instruction ID: 27704910a7326580fc52ec6e4cbb7f40a86dcdf5bdcaa6749107ff6778942230
                                                                                                                              • Opcode Fuzzy Hash: 33a351c63a98506cade1041847ba6dd3c9ffc1372cf75c6c11692fd971b9abe2
                                                                                                                              • Instruction Fuzzy Hash: ECE1EBB4E102598FCB14DFA9C5809AEFBF2FF89304F248169D415AB356D731A982CF61
                                                                                                                              Function 072B71A8 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1a90f0bb3c29e7d207262f654d5c41fa5d52e1a8615cf4b7df45c2e19475d172
                                                                                                                              • Instruction ID: 1f7e27c0c6065b258290b6b0b8ef3ddde60d09c7395ebe0f441393795ec6726a
                                                                                                                              • Opcode Fuzzy Hash: 1a90f0bb3c29e7d207262f654d5c41fa5d52e1a8615cf4b7df45c2e19475d172
                                                                                                                              • Instruction Fuzzy Hash: B5E1FDB4E102598FCB14DFA9C5809AEFBF2FF89305F248169D814A7355D730A946CF61
                                                                                                                              Function 072B51F8 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bf92a174f7b9a5304c5953e0a08b074a9979a81db5590c3ad309882a46661fb4
                                                                                                                              • Instruction ID: c150e2dff2d302e7b8ce8bc65ef613bb56889f5183f81ac268f37bac193bd6f3
                                                                                                                              • Opcode Fuzzy Hash: bf92a174f7b9a5304c5953e0a08b074a9979a81db5590c3ad309882a46661fb4
                                                                                                                              • Instruction Fuzzy Hash: 7BE1FDB4E102598FCB14DFA9C5809AEFBF2FF89305F248169E414AB356D731A981CF60
                                                                                                                              Function 0235D63C Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1689765536.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_2350000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 74145865f4e51944143f783d0243b031fd4ea2769124d566252b6abc95534c25
                                                                                                                              • Instruction ID: c63b116ea8be3a681edafa9b88ec16366d8d97a1d0d6745ad641ab6fbf18a14a
                                                                                                                              • Opcode Fuzzy Hash: 74145865f4e51944143f783d0243b031fd4ea2769124d566252b6abc95534c25
                                                                                                                              • Instruction Fuzzy Hash: 58A17E76E102198FCF15DFA4C44099EB7B2FF86304B25856AEC09AB661DB35E915CF80
                                                                                                                              Function 072B8D36 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1692578706.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_72b0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ff94300130658354c1cdfcd016132024ac67500a457aa1ac9e4fcd274e5c43a0
                                                                                                                              • Instruction ID: 1f0a0e2b82371081a6593e041b10d9ab40d8581d0a90e51ffbba3e73ea14b73d
                                                                                                                              • Opcode Fuzzy Hash: ff94300130658354c1cdfcd016132024ac67500a457aa1ac9e4fcd274e5c43a0
                                                                                                                              • Instruction Fuzzy Hash: 7AC012B1EB9000C6C5100ED464040F4B37CDA4F296F083066D68FA3602D254E1664214

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:10.7%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:37
                                                                                                                              Total number of Limit Nodes:5
                                                                                                                              execution_graph 24273 5ca4618 24276 5ca462d 24273->24276 24274 5ca48ca 24277 5ca88a0 24276->24277 24278 5ca882a 24277->24278 24279 5ca88a6 24277->24279 24278->24274 24283 5ca8aa0 24279->24283 24288 5ca8ab0 24279->24288 24280 5ca8936 24280->24274 24284 5ca8ab0 24283->24284 24292 5ca8ad8 24284->24292 24301 5ca8ae8 24284->24301 24285 5ca8abe 24285->24280 24290 5ca8ad8 2 API calls 24288->24290 24291 5ca8ae8 2 API calls 24288->24291 24289 5ca8abe 24289->24280 24290->24289 24291->24289 24293 5ca8ae8 24292->24293 24294 5ca8af5 24293->24294 24309 5ca6ce8 24293->24309 24294->24285 24296 5ca8b3e 24296->24285 24298 5ca8ba3 24298->24285 24299 5ca8c06 GlobalMemoryStatusEx 24300 5ca8c36 24299->24300 24300->24285 24302 5ca8af5 24301->24302 24303 5ca8b1d 24301->24303 24302->24285 24304 5ca6ce8 GlobalMemoryStatusEx 24303->24304 24306 5ca8b3a 24304->24306 24305 5ca8b3e 24305->24285 24306->24305 24307 5ca8c06 GlobalMemoryStatusEx 24306->24307 24308 5ca8c36 24307->24308 24308->24285 24310 5ca8bc0 GlobalMemoryStatusEx 24309->24310 24312 5ca8b3a 24310->24312 24312->24296 24312->24298 24312->24299 24313 29de540 DuplicateHandle 24314 29de5d6 24313->24314 24315 29d91e0 24316 29d9224 SetWindowsHookExW 24315->24316 24318 29d926a 24316->24318

                                                                                                                              Executed Functions

                                                                                                                              Function 05CA8AE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1210 5ca8ae8-5ca8af3 1211 5ca8b1d-5ca8b3c call 5ca6ce8 1210->1211 1212 5ca8af5-5ca8b1c call 5ca6cdc 1210->1212 1218 5ca8b3e-5ca8b41 1211->1218 1219 5ca8b42-5ca8ba1 1211->1219 1226 5ca8ba3-5ca8ba6 1219->1226 1227 5ca8ba7-5ca8c34 GlobalMemoryStatusEx 1219->1227 1231 5ca8c3d-5ca8c65 1227->1231 1232 5ca8c36-5ca8c3c 1227->1232 1232->1231
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4225042327.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_5ca0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (
                                                                                                                              • API String ID: 0-3887548279
                                                                                                                              • Opcode ID: f3a59d8c290caf560341e7007f076d342bcb7ba7034cdde57d2d734b20d915bc
                                                                                                                              • Instruction ID: d2090cf26897cdc8e96c6559b5097359639cb738956b6dea6070c4522f77fc42
                                                                                                                              • Opcode Fuzzy Hash: f3a59d8c290caf560341e7007f076d342bcb7ba7034cdde57d2d734b20d915bc
                                                                                                                              • Instruction Fuzzy Hash: AE412272E0435A9FCB04DFB9D8046AABFF5EF89210F04896AD408A7241DB789845CBE0
                                                                                                                              Function 029DE540 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029DE5C7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4144754107.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_29d0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 7de92fbefddebbf1ec37ed801ae7e136a861b5c2fd6156707af71ec5f057ae1d
                                                                                                                              • Instruction ID: baa551ab5a6146c94d02cb3c419feb777f7b3fc7938baec6491c2e13df1ff208
                                                                                                                              • Opcode Fuzzy Hash: 7de92fbefddebbf1ec37ed801ae7e136a861b5c2fd6156707af71ec5f057ae1d
                                                                                                                              • Instruction Fuzzy Hash: 3421E4B5D00208DFDB10CF9AD984ADEBBF8FB48310F14841AE958A7310D374A940CFA4
                                                                                                                              Function 029D91D8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 029D925B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4144754107.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_29d0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HookWindows
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2559412058-0
                                                                                                                              • Opcode ID: 2289a0fde724d78dbea5c73775dc582977d56ee923c1994eb00f6353d1eb0c15
                                                                                                                              • Instruction ID: 32067cacb5e59f700ec3c2fe3d96d9bcba11204c25c8bd3be640a0e79cb4af6f
                                                                                                                              • Opcode Fuzzy Hash: 2289a0fde724d78dbea5c73775dc582977d56ee923c1994eb00f6353d1eb0c15
                                                                                                                              • Instruction Fuzzy Hash: 1A2134B5D002098FDB14DFA9C944BEEBBF5EF88320F20842AD459A7250C774A945CFA5
                                                                                                                              Function 029D91E0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 029D925B
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4144754107.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_29d0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HookWindows
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2559412058-0
                                                                                                                              • Opcode ID: d7816436b7790d5602954fda3f0d71cc2fa1bf9adf2c3e669861d53ac1a8a350
                                                                                                                              • Instruction ID: abf1d4ad08282420288dcdba7bf5b25bbc467b8577eee0aa1adcf8b261c84c8a
                                                                                                                              • Opcode Fuzzy Hash: d7816436b7790d5602954fda3f0d71cc2fa1bf9adf2c3e669861d53ac1a8a350
                                                                                                                              • Instruction Fuzzy Hash: FD2113B5D002098FDB14DFAAC944BEEFBF9AF88324F10842AD459A7250C774A944CFA5
                                                                                                                              Function 05CA6CE8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05CA8B3A), ref: 05CA8C27
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4225042327.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_5ca0000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1890195054-0
                                                                                                                              • Opcode ID: ea8b6a0d64813d3ac76f0e11801f62130739f88346dbde6fbfd601c099c5bdbf
                                                                                                                              • Instruction ID: b02e51d0daa9296925766ec48336028130faa367204a5aed82aa0613d1f2f09a
                                                                                                                              • Opcode Fuzzy Hash: ea8b6a0d64813d3ac76f0e11801f62130739f88346dbde6fbfd601c099c5bdbf
                                                                                                                              • Instruction Fuzzy Hash: AB1133B2C0025A9BCB10DF9AC844B9EFBF4FB08324F10852AD818B7240D378A940CFE5
                                                                                                                              Function 0107D450 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4131840208.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_107d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d38083b6b72391dc1578d9a65418fc18269fa8b3bac4c9aed5e6b2dd941d378
                                                                                                                              • Instruction ID: 72589a5bce829ab9a3e568e9161ea8c3cf1c611eac20306b5672540e9fd77a6c
                                                                                                                              • Opcode Fuzzy Hash: 5d38083b6b72391dc1578d9a65418fc18269fa8b3bac4c9aed5e6b2dd941d378
                                                                                                                              • Instruction Fuzzy Hash: 982103B1904200EFDB15DF58D9C0B2BBFA5FF88324F24C1A9E9494B256C736E456CBA1
                                                                                                                              Function 0107D53C Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4131840208.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_107d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b392b00a36ca25b4a9009d2ba08be85aa657dc5fb9d2e97d8df13784cd0a4f5f
                                                                                                                              • Instruction ID: 3d0195879b1cdeaaef153730aeaa1b8229ee67670b5495adee14090bc4de18ca
                                                                                                                              • Opcode Fuzzy Hash: b392b00a36ca25b4a9009d2ba08be85aa657dc5fb9d2e97d8df13784cd0a4f5f
                                                                                                                              • Instruction Fuzzy Hash: 5F212571900204DFDB05DF58D9C0B2ABFA6FF98318F20C5A9E9494F256C336D456CBA1
                                                                                                                              Function 0294D0FC Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4132674407.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_294d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e064b65990dd96825e9763a956d29eb0482311a6542fe18fdd5103367bac062c
                                                                                                                              • Instruction ID: f9d760e06b3abb6ecbc2d7e3535c5473dcb973e3256ea7469529033ca1bc4e6a
                                                                                                                              • Opcode Fuzzy Hash: e064b65990dd96825e9763a956d29eb0482311a6542fe18fdd5103367bac062c
                                                                                                                              • Instruction Fuzzy Hash: 3B21F279504204DFDB09DF14D9C4F26BBA5EB8C314F20CA69EC0A4B296CB3AD846CA71
                                                                                                                              Function 0294D01C Relevance: .1, Instructions: 71COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4132674407.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_294d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 30200dc6afc5f562baccbf6dc46e57039d4a36a2393825c1cdc4b5e984bf21ab
                                                                                                                              • Instruction ID: 9b186f8f3c589a706143a55b8c1bc91e1c35e64fe2e9bc17348e1b37bc8fed7e
                                                                                                                              • Opcode Fuzzy Hash: 30200dc6afc5f562baccbf6dc46e57039d4a36a2393825c1cdc4b5e984bf21ab
                                                                                                                              • Instruction Fuzzy Hash: 0D21F279604200DFDB24DF24C584F26BFA5EB84318F20C66DD9094B351CB36E846C671
                                                                                                                              Function 0294D006 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4132674407.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_294d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b4e8b09371b289c1291955b5fc3b0abe8ca98d56f0c491d965a940713a544f7a
                                                                                                                              • Instruction ID: 7a4817e8039c8ef6d07d689e9f7bde950c79ef2b8a63fde7d35e02aafe0471f3
                                                                                                                              • Opcode Fuzzy Hash: b4e8b09371b289c1291955b5fc3b0abe8ca98d56f0c491d965a940713a544f7a
                                                                                                                              • Instruction Fuzzy Hash: 1D2181755093C08FDB16CF24C9D4B15BF71EB46214F28C5DAD8498F6A3C33A984ACB62
                                                                                                                              Function 0107D44B Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4131840208.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_107d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction ID: 37abd9f7c7828a0ebb2c2a3b367895bba7735567ea2d77e944b3fe981bdcc113
                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction Fuzzy Hash: CA11AF76904280DFDB16CF54D5C4B16BFB1FB84314F24C5A9D9490B257C336D45ACBA1
                                                                                                                              Function 0107D537 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4131840208.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_107d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction ID: e711a1690eb1f2533b4c3a0d347e396ca57b9fc819d70bf0c050f62384d9544a
                                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                              • Instruction Fuzzy Hash: 1711E172804240CFCB02CF44D5C4B16BFB2FF88314F24C5A9D8494B256C336D45ACBA1
                                                                                                                              Function 0294D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000002.00000002.4132674407.000000000294D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0294D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_2_2_294d000_SKM_BH450i2411261138090453854974574748668683985857435.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                              • Instruction ID: 7eca01046093e42d526b944d985dca302f5c30f46c4839ac125d7aaf8f3fd01d
                                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                              • Instruction Fuzzy Hash: 50119D79504284DFDB0ACF14D9C4B15BFB1FB88318F24C6AADC494B656C33AD45ACB61

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:7.3%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 20914 8e47868 20915 8e478ab SetThreadToken 20914->20915 20916 8e478d9 20915->20916

                                                                                                                              Executed Functions

                                                                                                                              Function 04DDB470 Relevance: .3, Instructions: 261COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 632 4ddb470-4ddb4a9 634 4ddb4ae-4ddb7e9 call 4ddacbc 632->634 635 4ddb4ab 632->635 696 4ddb7ee-4ddb7f5 634->696 635->634
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4aea5345e8b905e36f39621ba580e2a66620ab9bbbd500d68f8c09f593746e00
                                                                                                                              • Instruction ID: a07cf585da4c8980a9fe3b7945b42cd7cc5b547c324be696cfede641f4a9ffb7
                                                                                                                              • Opcode Fuzzy Hash: 4aea5345e8b905e36f39621ba580e2a66620ab9bbbd500d68f8c09f593746e00
                                                                                                                              • Instruction Fuzzy Hash: 6C918075B007145BEF1AEBB4C4146AEB7B2EFC4608B00891DD14AAF350DF74AD0A8BD6
                                                                                                                              Function 04DDB490 Relevance: .3, Instructions: 252COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 781 4ddb490-4ddb4a9 782 4ddb4ae-4ddb7e9 call 4ddacbc 781->782 783 4ddb4ab 781->783 844 4ddb7ee-4ddb7f5 782->844 783->782
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 82403d3e2a1252a9b990a05c6e92c6afab276060340eac65d5f63921c9d55799
                                                                                                                              • Instruction ID: c6a20798f0af9a2b291bfdcd8f116c32f2bc3f5d20740e47903a52ca2e622e83
                                                                                                                              • Opcode Fuzzy Hash: 82403d3e2a1252a9b990a05c6e92c6afab276060340eac65d5f63921c9d55799
                                                                                                                              • Instruction Fuzzy Hash: EF918075B006185BEF1AEFB4C4056AFB7A2EFC4604B00891DD14AAF350DF74AD0A8BD6
                                                                                                                              Function 07CD2308 Relevance: 13.1, Strings: 10, Instructions: 645COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$J3l$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-2616406786
                                                                                                                              • Opcode ID: 3491ef120c186cb9bb2bfccb2a2144411747dde01cb0baa658c89436352cb729
                                                                                                                              • Instruction ID: 3b820d87d6d9e8a05b6147c34cfb3bb0448c9bfcf0244de9d12f0737a82f9851
                                                                                                                              • Opcode Fuzzy Hash: 3491ef120c186cb9bb2bfccb2a2144411747dde01cb0baa658c89436352cb729
                                                                                                                              • Instruction Fuzzy Hash: 03222AB1B0030ADFCB249FA9D4816AABBE5FF85311F14807AE605CB251DB35DE45CBA1
                                                                                                                              Function 07CD3CE8 Relevance: 5.6, Strings: 4, Instructions: 584COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 200 7cd3ce8-7cd3d0d 201 7cd3f00-7cd3f4a 200->201 202 7cd3d13-7cd3d18 200->202 212 7cd40ce-7cd4112 201->212 213 7cd3f50-7cd3f55 201->213 203 7cd3d1a-7cd3d20 202->203 204 7cd3d30-7cd3d34 202->204 205 7cd3d24-7cd3d2e 203->205 206 7cd3d22 203->206 207 7cd3d3a-7cd3d3c 204->207 208 7cd3eb0-7cd3eba 204->208 205->204 206->204 210 7cd3d4c 207->210 211 7cd3d3e-7cd3d4a 207->211 214 7cd3ebc-7cd3ec5 208->214 215 7cd3ec8-7cd3ece 208->215 216 7cd3d4e-7cd3d50 210->216 211->216 229 7cd4228-7cd425d 212->229 230 7cd4118-7cd411d 212->230 217 7cd3f6d-7cd3f71 213->217 218 7cd3f57-7cd3f5d 213->218 219 7cd3ed4-7cd3ee0 215->219 220 7cd3ed0-7cd3ed2 215->220 216->208 222 7cd3d56-7cd3d75 216->222 227 7cd3f77-7cd3f79 217->227 228 7cd4080-7cd408a 217->228 223 7cd3f5f 218->223 224 7cd3f61-7cd3f6b 218->224 226 7cd3ee2-7cd3efd 219->226 220->226 268 7cd3d85 222->268 269 7cd3d77-7cd3d83 222->269 223->217 224->217 232 7cd3f89 227->232 233 7cd3f7b-7cd3f87 227->233 234 7cd408c-7cd4094 228->234 235 7cd4097-7cd409d 228->235 251 7cd425f-7cd4281 229->251 252 7cd428b-7cd4295 229->252 241 7cd411f-7cd4125 230->241 242 7cd4135-7cd4139 230->242 236 7cd3f8b-7cd3f8d 232->236 233->236 238 7cd409f-7cd40a1 235->238 239 7cd40a3-7cd40af 235->239 236->228 245 7cd3f93-7cd3fb2 236->245 246 7cd40b1-7cd40cb 238->246 239->246 247 7cd4129-7cd4133 241->247 248 7cd4127 241->248 249 7cd413f-7cd4141 242->249 250 7cd41da-7cd41e4 242->250 286 7cd3fb4-7cd3fc0 245->286 287 7cd3fc2 245->287 247->242 248->242 258 7cd4151 249->258 259 7cd4143-7cd414f 249->259 254 7cd41e6-7cd41ee 250->254 255 7cd41f1-7cd41f7 250->255 297 7cd42d5-7cd42fe 251->297 298 7cd4283-7cd4288 251->298 266 7cd429f-7cd42a5 252->266 267 7cd4297-7cd429c 252->267 262 7cd41fd-7cd4209 255->262 263 7cd41f9-7cd41fb 255->263 264 7cd4153-7cd4155 258->264 259->264 271 7cd420b-7cd4225 262->271 263->271 264->250 275 7cd415b-7cd415d 264->275 272 7cd42ab-7cd42b7 266->272 273 7cd42a7-7cd42a9 266->273 274 7cd3d87-7cd3d89 268->274 269->274 279 7cd42b9-7cd42d2 272->279 273->279 274->208 280 7cd3d8f-7cd3d96 274->280 281 7cd415f-7cd4165 275->281 282 7cd4177-7cd417e 275->282 280->201 290 7cd3d9c-7cd3da1 280->290 291 7cd4169-7cd4175 281->291 292 7cd4167 281->292 283 7cd4196-7cd41d7 282->283 284 7cd4180-7cd4186 282->284 294 7cd4188 284->294 295 7cd418a-7cd4194 284->295 299 7cd3fc4-7cd3fc6 286->299 287->299 300 7cd3db9-7cd3dc8 290->300 301 7cd3da3-7cd3da9 290->301 291->282 292->282 294->283 295->283 316 7cd432d-7cd435c 297->316 317 7cd4300-7cd4326 297->317 299->228 302 7cd3fcc-7cd4003 299->302 300->208 312 7cd3dce-7cd3dec 300->312 305 7cd3dad-7cd3db7 301->305 306 7cd3dab 301->306 325 7cd401d-7cd4024 302->325 326 7cd4005-7cd400b 302->326 305->300 306->300 312->208 327 7cd3df2-7cd3e17 312->327 323 7cd435e-7cd437b 316->323 324 7cd4395-7cd439f 316->324 317->316 342 7cd437d-7cd438f 323->342 343 7cd43e5-7cd43ea 323->343 330 7cd43a8-7cd43ae 324->330 331 7cd43a1-7cd43a5 324->331 332 7cd403c-7cd407d 325->332 333 7cd4026-7cd402c 325->333 328 7cd400d 326->328 329 7cd400f-7cd401b 326->329 327->208 350 7cd3e1d-7cd3e24 327->350 328->325 329->325 338 7cd43b4-7cd43c0 330->338 339 7cd43b0-7cd43b2 330->339 336 7cd402e 333->336 337 7cd4030-7cd403a 333->337 336->332 337->332 345 7cd43c2-7cd43e2 338->345 339->345 342->324 343->342 352 7cd3e6a-7cd3e9d 350->352 353 7cd3e26-7cd3e41 350->353 364 7cd3ea4-7cd3ead 352->364 357 7cd3e5b-7cd3e5f 353->357 358 7cd3e43-7cd3e49 353->358 362 7cd3e66-7cd3e68 357->362 359 7cd3e4d-7cd3e59 358->359 360 7cd3e4b 358->360 359->357 360->357 362->364
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                              • API String ID: 0-1420252700
                                                                                                                              • Opcode ID: 174b19d6bb0d3b969bf6a083b6575c05aa3319ce8be33d6f8cb905588c44b44e
                                                                                                                              • Instruction ID: fde3728e5ca502a0157081cced9e879aaa9fc4ae997c64018e141d8ee2214e8a
                                                                                                                              • Opcode Fuzzy Hash: 174b19d6bb0d3b969bf6a083b6575c05aa3319ce8be33d6f8cb905588c44b44e
                                                                                                                              • Instruction Fuzzy Hash: 221259B1B00399CFCB198B69D84166ABBE2AFC5310F14807ADB05CB751DB35DE45CBA2
                                                                                                                              Function 08E47860 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 369 8e47860-8e478a3 370 8e478ab-8e478d7 SetThreadToken 369->370 371 8e478e0-8e478fd 370->371 372 8e478d9-8e478df 370->372 372->371
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1756098882.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_8e40000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ThreadToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3254676861-0
                                                                                                                              • Opcode ID: 4546fc264438ff7649b719fe4b1676f34acbdba0f6e9989d37fc3c8ff3efc8e1
                                                                                                                              • Instruction ID: ddb85d5f3cf22e02ce119b88f15db65ba7230f5da65657448e93ed6cf4b7ddcc
                                                                                                                              • Opcode Fuzzy Hash: 4546fc264438ff7649b719fe4b1676f34acbdba0f6e9989d37fc3c8ff3efc8e1
                                                                                                                              • Instruction Fuzzy Hash: 801143B19002598FCB10CFAAD985BDEFFF4EF88320F248429D458A7610C7B4A945CFA5
                                                                                                                              Function 08E47868 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 375 8e47868-8e478d7 SetThreadToken 377 8e478e0-8e478fd 375->377 378 8e478d9-8e478df 375->378 378->377
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1756098882.0000000008E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E40000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_8e40000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ThreadToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3254676861-0
                                                                                                                              • Opcode ID: 64f8eae136fc4d13ee1e5b022f26300c3672190a158960af8139212407cdd3af
                                                                                                                              • Instruction ID: 875c5465cc299c64e91691a56b54fedf46c4a6b7af4e3a40f6d5d7fc9c2c94ef
                                                                                                                              • Opcode Fuzzy Hash: 64f8eae136fc4d13ee1e5b022f26300c3672190a158960af8139212407cdd3af
                                                                                                                              • Instruction Fuzzy Hash: CC1125B19002188FCB10DF9AD945B9EFBF8EB48324F248419D458A7210C774A944CFA4
                                                                                                                              Function 04DD6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 381 4dd6fe0-4dd6fff 382 4dd7105-4dd7143 381->382 383 4dd7005-4dd7008 381->383 410 4dd700a call 4dd767c 383->410 411 4dd700a call 4dd7697 383->411 384 4dd7010-4dd7022 386 4dd702e-4dd7043 384->386 387 4dd7024 384->387 393 4dd70ce-4dd70e7 386->393 394 4dd7049-4dd7059 386->394 387->386 399 4dd70e9 393->399 400 4dd70f2 393->400 395 4dd705b 394->395 396 4dd7065-4dd7073 call 4ddbf1c 394->396 395->396 402 4dd7079-4dd707d 396->402 399->400 400->382 403 4dd70bd-4dd70c8 402->403 404 4dd707f-4dd708f 402->404 403->393 403->394 405 4dd70ab-4dd70b5 404->405 406 4dd7091-4dd70a9 404->406 405->403 406->403 410->384 411->384
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (bq
                                                                                                                              • API String ID: 0-149360118
                                                                                                                              • Opcode ID: 56bfe5ec3a9010724eb6a044a0f4aded936944e45f6b4482b7f2bd8a85efa4d8
                                                                                                                              • Instruction ID: af7e99b07309e02f5871436545bd265ed50ce49cf76fa72147990e399c04ec43
                                                                                                                              • Opcode Fuzzy Hash: 56bfe5ec3a9010724eb6a044a0f4aded936944e45f6b4482b7f2bd8a85efa4d8
                                                                                                                              • Instruction Fuzzy Hash: 8C414834B042048FCB08DFA8C458ABEBBF2EB8D311F1440A9E402AB395DA35EC01CB60
                                                                                                                              Function 04DDE5A4 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 412 4dde5a4-4dde61e 420 4dde624-4dde63b 412->420 421 4dde6a2-4dde6bb 412->421 435 4dde63d call 4dde714 420->435 436 4dde63d call 4dde720 420->436 424 4dde6bd 421->424 425 4dde6c6 421->425 424->425 426 4dde6c7 425->426 426->426 427 4dde643-4dde6a0 427->420 427->421 435->427 436->427
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: J3l
                                                                                                                              • API String ID: 0-3862774051
                                                                                                                              • Opcode ID: a3d1d0582632f0cd5e758ab95fa618201f00a9547fb988f4a934d890903260cb
                                                                                                                              • Instruction ID: 3569323fab10c40703e9652ae772044dcad8bfc1cce0420fc0229a458b922b8c
                                                                                                                              • Opcode Fuzzy Hash: a3d1d0582632f0cd5e758ab95fa618201f00a9547fb988f4a934d890903260cb
                                                                                                                              • Instruction Fuzzy Hash: 53315C34A00605DFCB14DF69D994A9EBBF2FF88304F108529E415AB3A8DB31BD45CBA1
                                                                                                                              Function 04DDE5A8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 437 4dde5a8-4dde61e 444 4dde624-4dde63b 437->444 445 4dde6a2-4dde6bb 437->445 459 4dde63d call 4dde714 444->459 460 4dde63d call 4dde720 444->460 448 4dde6bd 445->448 449 4dde6c6 445->449 448->449 450 4dde6c7 449->450 450->450 451 4dde643-4dde6a0 451->444 451->445 459->451 460->451
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: J3l
                                                                                                                              • API String ID: 0-3862774051
                                                                                                                              • Opcode ID: aa4c2ec53b8759424e3ae7a9a0b13dfcdac5cc32041ca93ab442b2dadfe4218f
                                                                                                                              • Instruction ID: 6809e8db150e6f57817eca448c146a69264b2b00a3fa14a5a7943101c68c1b85
                                                                                                                              • Opcode Fuzzy Hash: aa4c2ec53b8759424e3ae7a9a0b13dfcdac5cc32041ca93ab442b2dadfe4218f
                                                                                                                              • Instruction Fuzzy Hash: AD313A34A00605DFCB14DF69D994A9EBBF2FF88304F148529E416AB398DB31AD45CBA1
                                                                                                                              Function 04DDAF98 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 461 4ddaf98-4ddafaa call 4dda984 464 4ddafac-4ddafb9 461->464 465 4ddafba-4ddafdf 461->465
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (&^q
                                                                                                                              • API String ID: 0-2067289071
                                                                                                                              • Opcode ID: 2ffffc3c1ad96d049dbe5c1eaea2e32d42bec391c9733675266eadca950a6e0c
                                                                                                                              • Instruction ID: 34bcac97d2c757f69acbf1c3d9fdf72f5a4b7dc90eaf129d77aff5530c7164f0
                                                                                                                              • Opcode Fuzzy Hash: 2ffffc3c1ad96d049dbe5c1eaea2e32d42bec391c9733675266eadca950a6e0c
                                                                                                                              • Instruction Fuzzy Hash: E1E086167481A81B8B1EA27E282042E6BEB9AC6550359C4BFE509CB345DC15DC0A43E9
                                                                                                                              Function 04DDE720 Relevance: .3, Instructions: 254COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 697 4dde720-4dde740 698 4dde749-4dde756 697->698 699 4dde742-4dde744 697->699 702 4dde758-4dde769 698->702 700 4ddeaa9-4ddeab0 699->700 704 4dde76b-4dde78d call 4dd014c 702->704 709 4dde8f0-4dde907 704->709 710 4dde793 704->710 718 4dde90d 709->718 719 4dde9e3-4dde9ef 709->719 711 4dde795-4dde7a6 710->711 714 4dde7a8-4dde7aa 711->714 716 4dde7ac-4dde7b2 714->716 717 4dde7c4-4dde84d 714->717 720 4dde7b4 716->720 721 4dde7b6-4dde7c2 716->721 745 4dde84f 717->745 746 4dde854-4dde889 717->746 722 4dde90f-4dde920 718->722 725 4dde9f5-4ddea0c 719->725 726 4ddeaa1 719->726 720->717 721->717 729 4dde922-4dde924 722->729 725->726 740 4ddea12 725->740 726->700 732 4dde93e-4dde976 729->732 733 4dde926-4dde92c 729->733 749 4dde97d-4dde9b2 732->749 750 4dde978 732->750 735 4dde92e 733->735 736 4dde930-4dde93c 733->736 735->732 736->732 743 4ddea14-4ddea25 740->743 751 4ddea27-4ddea29 743->751 745->746 764 4dde88b 746->764 765 4dde893 746->765 767 4dde9bc 749->767 768 4dde9b4 749->768 750->749 752 4ddea2b-4ddea31 751->752 753 4ddea43-4ddea71 751->753 755 4ddea35-4ddea41 752->755 756 4ddea33 752->756 771 4ddea9d-4ddea9f 753->771 772 4ddea73-4ddea7e 753->772 755->753 756->753 764->765 765->709 767->719 768->767 771->700 777 4ddea81 call 4dde9bf 772->777 778 4ddea81 call 4dde714 772->778 779 4ddea81 call 4dde896 772->779 780 4ddea81 call 4dde720 772->780 774 4ddea87-4ddea9b 774->771 774->772 777->774 778->774 779->774 780->774
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cbcbba7ddc4954b4524f690fd40e32e804a0c8640b3f0dfd0fc6b07de97864df
                                                                                                                              • Instruction ID: b7c542d8bdc9f130c804ba33b186fe161335cfccabea76e0e088f8e05b912821
                                                                                                                              • Opcode Fuzzy Hash: cbcbba7ddc4954b4524f690fd40e32e804a0c8640b3f0dfd0fc6b07de97864df
                                                                                                                              • Instruction Fuzzy Hash: 05918C34B102298FCB14DF78D5445ADBBE6BF88710B244469E806EB364EF35EC42CB91
                                                                                                                              Function 04DD29F0 Relevance: .2, Instructions: 209COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 845 4dd29f0-4dd2a1e 847 4dd2af5-4dd2b37 845->847 848 4dd2a24-4dd2a3a 845->848 853 4dd2b3d-4dd2b56 847->853 854 4dd2c51-4dd2c61 847->854 851 4dd2a3c 848->851 852 4dd2a3f-4dd2a52 848->852 851->852 852->847 859 4dd2a58-4dd2a65 852->859 855 4dd2b58 853->855 856 4dd2b5b-4dd2b69 853->856 855->856 856->854 864 4dd2b6f-4dd2b79 856->864 862 4dd2a6a-4dd2a7c 859->862 863 4dd2a67 859->863 862->847 868 4dd2a7e-4dd2a88 862->868 863->862 866 4dd2b7b-4dd2b7d 864->866 867 4dd2b87-4dd2b94 864->867 866->867 867->854 869 4dd2b9a-4dd2baa 867->869 870 4dd2a8a-4dd2a8c 868->870 871 4dd2a96-4dd2aa6 868->871 872 4dd2bac 869->872 873 4dd2baf-4dd2bbd 869->873 870->871 871->847 874 4dd2aa8-4dd2ab2 871->874 872->873 873->854 878 4dd2bc3-4dd2bd3 873->878 875 4dd2ab4-4dd2ab6 874->875 876 4dd2ac0-4dd2af4 874->876 875->876 879 4dd2bd8-4dd2be5 878->879 880 4dd2bd5 878->880 879->854 884 4dd2be7-4dd2bf7 879->884 880->879 885 4dd2bfc-4dd2c08 884->885 886 4dd2bf9 884->886 885->854 888 4dd2c0a-4dd2c24 885->888 886->885 889 4dd2c29 888->889 890 4dd2c26 888->890 891 4dd2c2e-4dd2c38 889->891 890->889 892 4dd2c3d-4dd2c50 891->892
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7cbff816640dfda44a91164ef6bb61290653a1d605d88eb7aba8f2f9a663a3c7
                                                                                                                              • Instruction ID: f1d102a0fb5c04dbcfcaad7fbb91f65158864ff97bb3cdb19c557c6b43661b3b
                                                                                                                              • Opcode Fuzzy Hash: 7cbff816640dfda44a91164ef6bb61290653a1d605d88eb7aba8f2f9a663a3c7
                                                                                                                              • Instruction Fuzzy Hash: 6F9149B4A006458FCB15CF59C4949AEFBF1FF88310B2585A9E815AB365C736FC51CBA0
                                                                                                                              Function 04DDE39B Relevance: .2, Instructions: 175COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 893 4dde39b-4dde3b8 895 4dde3ba 893->895 896 4dde3c4-4dde3d4 893->896 895->896 898 4dde459 896->898 899 4dde3da-4dde3f6 896->899 933 4dde459 call 4dde5a8 898->933 934 4dde459 call 4dde5a4 898->934 902 4dde3f8-4dde405 899->902 903 4dde407 899->903 901 4dde45f-4dde46e 904 4dde47a-4dde48a 901->904 905 4dde470 901->905 906 4dde409-4dde414 902->906 903->906 910 4dde51b-4dde52c 904->910 911 4dde490-4dde4b1 904->911 905->904 912 4dde41d-4dde43a 906->912 913 4dde416 906->913 916 4dde4b3-4dde4c0 911->916 917 4dde4c2 911->917 920 4dde43c 912->920 921 4dde446-4dde457 912->921 913->912 919 4dde4c5-4dde4d3 916->919 917->919 925 4dde4dc-4dde4fc 919->925 926 4dde4d5 919->926 920->921 921->898 929 4dde4fe 925->929 930 4dde508-4dde519 925->930 926->925 929->930 930->910 933->901 934->901
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0b3952460580755c5a87b5044b253e2506e29e23e071196d6986710abcd24f7f
                                                                                                                              • Instruction ID: 98d09ba95b97f06cf1a64df76b7516e4aad63c7d2e604f73a63496597910cad2
                                                                                                                              • Opcode Fuzzy Hash: 0b3952460580755c5a87b5044b253e2506e29e23e071196d6986710abcd24f7f
                                                                                                                              • Instruction Fuzzy Hash: CA614A74B006068FDB10DF69C584A6EBBE6FF88304F5484A9E549DF365EB34EC058B91
                                                                                                                              Function 04DDBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7898689777de35be759ed66d1171f61565045f5437f400a4895bc5e54e1421db
                                                                                                                              • Instruction ID: 98ec95d1085b69ee625301cf9d63d4626e56ab20bc0323398d683bb12b029ac4
                                                                                                                              • Opcode Fuzzy Hash: 7898689777de35be759ed66d1171f61565045f5437f400a4895bc5e54e1421db
                                                                                                                              • Instruction Fuzzy Hash: 9F611571E00209CFDB14DFA9C584A9DBBF5FF88314F15816AE819AB354EB34AC45CB60
                                                                                                                              Function 04DD7740 Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b7e22b96238ae8f914fcd7df45d5ab6f33e672aa7aa4be2c6f2794df67f91e04
                                                                                                                              • Instruction ID: 2c664170490f42d8814b371c55bfe511eb2298cc3a6cfa5ffeec69e8e2ab66c6
                                                                                                                              • Opcode Fuzzy Hash: b7e22b96238ae8f914fcd7df45d5ab6f33e672aa7aa4be2c6f2794df67f91e04
                                                                                                                              • Instruction Fuzzy Hash: 7C51AF35300215DFDB14DB69D844A2AB7EAFFC8215F2589BAE409DB351EB35EC01CBA0
                                                                                                                              Function 04DDBAB0 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b4e4d5c8c6c7a1e69e4ed79b06363f0fbb1da209c1d8a233551cc0df70890e9
                                                                                                                              • Instruction ID: 4a15a36d4c4d88a4b62873a3e49a997413bbff5b0119b84aba073f737669e5e6
                                                                                                                              • Opcode Fuzzy Hash: 9b4e4d5c8c6c7a1e69e4ed79b06363f0fbb1da209c1d8a233551cc0df70890e9
                                                                                                                              • Instruction Fuzzy Hash: 47511571E00248DFCB14DFA9D584A9DFBF5FF88314F15806AE819AB364EB34A845CB60
                                                                                                                              Function 04DDE3A0 Relevance: .1, Instructions: 130COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 39a0b8797a4d7b4d3da244a91cb27c0988507f27807d7e94aac72cb51dae8bcb
                                                                                                                              • Instruction ID: 2522a4d89e0a6152d00ff2c46afec6bca2b2496af41df556b0658eda5a2275fb
                                                                                                                              • Opcode Fuzzy Hash: 39a0b8797a4d7b4d3da244a91cb27c0988507f27807d7e94aac72cb51dae8bcb
                                                                                                                              • Instruction Fuzzy Hash: F44149347002058FDB10DFACCA9492ABBE6FF88304B5584A9F549DF329EB34EC058B91
                                                                                                                              Function 07CD3CCC Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5a9650814c05e2fba866c8e3dd3445e2f81f70c4c78d4694ed2512f8740b0b3e
                                                                                                                              • Instruction ID: a489f0e289ab55372c6750aa960fbcb4e3f045dee3ba91aad6faa00a44ba2eb5
                                                                                                                              • Opcode Fuzzy Hash: 5a9650814c05e2fba866c8e3dd3445e2f81f70c4c78d4694ed2512f8740b0b3e
                                                                                                                              • Instruction Fuzzy Hash: 134119F0A10286CFDB148F29C591A7ABBF2AF85754F1480A5DA009F791C739DE45CBA2
                                                                                                                              Function 04DD2B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: de264b4ddbe26e24abe649952744bb7216f956ebc3b260e2ad9ad84d8fe52df6
                                                                                                                              • Instruction ID: e35d45b3c030fc0b528a833b6f8725405df9a457457d1d2011517461f9db86e7
                                                                                                                              • Opcode Fuzzy Hash: de264b4ddbe26e24abe649952744bb7216f956ebc3b260e2ad9ad84d8fe52df6
                                                                                                                              • Instruction Fuzzy Hash: EA4129B4A006059FCB09CF59C5989AEFBB1FF88310B1585A9D815AB368C736FC51CFA0
                                                                                                                              Function 04DD6FB0 Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 02c1d200ca17304a035770e70b2113a882bec30153305d420859a5e867ef9ba6
                                                                                                                              • Instruction ID: fa1ba7feadf5c09bf00b50108d3c0ee89d31d964d7c1b55c498590466e404869
                                                                                                                              • Opcode Fuzzy Hash: 02c1d200ca17304a035770e70b2113a882bec30153305d420859a5e867ef9ba6
                                                                                                                              • Instruction Fuzzy Hash: 2F313934B042458FCB14DBA8C598ABEBBF1BF8D315F189099E446AB395DA35EC01CB20
                                                                                                                              Function 04DDC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ed41accb6c5e10558a25a38a31ca67f4c08919ddf526ffc08172e1cb4f2fcb44
                                                                                                                              • Instruction ID: c55e6a0be17126e05871813fbe6082f25be681f98ddac7ebb0dce11e63fe87fe
                                                                                                                              • Opcode Fuzzy Hash: ed41accb6c5e10558a25a38a31ca67f4c08919ddf526ffc08172e1cb4f2fcb44
                                                                                                                              • Instruction Fuzzy Hash: 8F318D353002009FDB15EB68E844B9EB7A6EFC5211F008139E60ACB365EF71AC49CBA1
                                                                                                                              Function 04DDAE60 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cfed0df97e487acb81024c41b7a6da1a9dc4ae00bdcccd79cf7c0c991362b4b7
                                                                                                                              • Instruction ID: 20524293dcae151b37507b04e236e0d8adc939c50553ada2efb41e3cb13fc7b5
                                                                                                                              • Opcode Fuzzy Hash: cfed0df97e487acb81024c41b7a6da1a9dc4ae00bdcccd79cf7c0c991362b4b7
                                                                                                                              • Instruction Fuzzy Hash: A8316870B002098BDB18DFB9D494AAEBBF6EF89310F148069E405EB354EB349C418B61
                                                                                                                              Function 04DDAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5244f7620177bc17081e477b03f5f082de2828237816ec31e969cde8a86827fd
                                                                                                                              • Instruction ID: ad105e5e2fce694db7b62a21041b683dd63c27515821696cb467e7f153205434
                                                                                                                              • Opcode Fuzzy Hash: 5244f7620177bc17081e477b03f5f082de2828237816ec31e969cde8a86827fd
                                                                                                                              • Instruction Fuzzy Hash: 39314870B006099FDB18DFB9D5947AEBBF6EF89310F148069E405EB354EB349C418BA5
                                                                                                                              Function 04DDAD28 Relevance: .1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ee19367d12cceaad9b20e8e5abd2b3bbdb608a29b37df0389277ac4871bd43bd
                                                                                                                              • Instruction ID: c19389e79d405094c85ef8ff5b9768243d7dd4e0928818fac8d646f2ed843c03
                                                                                                                              • Opcode Fuzzy Hash: ee19367d12cceaad9b20e8e5abd2b3bbdb608a29b37df0389277ac4871bd43bd
                                                                                                                              • Instruction Fuzzy Hash: 7F3184B8E002099FEB04EBA4D455ABEBBB6EF84304F2184ADC155AF394DA349D41CF61
                                                                                                                              Function 04DDDFCC Relevance: .1, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0819567eec06527bc002bf58eaf141b88c33260bacd80fdf75ce6c4fe1cb3809
                                                                                                                              • Instruction ID: b1b28f3587a9a57e185605f9fe4aa244fe95cfa8c7b638e74fdbe4faeddb2471
                                                                                                                              • Opcode Fuzzy Hash: 0819567eec06527bc002bf58eaf141b88c33260bacd80fdf75ce6c4fe1cb3809
                                                                                                                              • Instruction Fuzzy Hash: E1314834B002048FCB14DF69D458AAEBBF2AF88714F154469E406EB3A4DB71AC45CB90
                                                                                                                              Function 04DDAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9093030034da48b77e8f9b0c10097abd8df3b5e4f95617061648fc3ad1558668
                                                                                                                              • Instruction ID: 755c2ea0caef105b7e7252a8aaf77cdf5fb7650bcdf0007543c7dd710a5bec62
                                                                                                                              • Opcode Fuzzy Hash: 9093030034da48b77e8f9b0c10097abd8df3b5e4f95617061648fc3ad1558668
                                                                                                                              • Instruction Fuzzy Hash: E73152B8E002099FEB04EFA4D455ABEB7B6EF84304F118469D115AF394DA35ED028FA1
                                                                                                                              Function 04DDDFD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4fb981f67606e64eac5fc2d0ef8648ffce3880861e31966d82fd0fd1470d3e14
                                                                                                                              • Instruction ID: 82f3b4565ed9a2256abf8d707e5281d3ba0f8171e1f134cdcfbfcce7a108b947
                                                                                                                              • Opcode Fuzzy Hash: 4fb981f67606e64eac5fc2d0ef8648ffce3880861e31966d82fd0fd1470d3e14
                                                                                                                              • Instruction Fuzzy Hash: 23312734B002148FCB14EF69D458AAEBBF6AF88714F15456DE406EB394DB71AC45CBA0
                                                                                                                              Function 0369F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 88c03ace208d42638f3027874802bdbc2945d68fa8b941a01ebdfa6d77ce1f0c
                                                                                                                              • Instruction ID: d3af76d436419987fa8340fc5efb8bbfac277a3a45199d0f0d76c731fb633ceb
                                                                                                                              • Opcode Fuzzy Hash: 88c03ace208d42638f3027874802bdbc2945d68fa8b941a01ebdfa6d77ce1f0c
                                                                                                                              • Instruction Fuzzy Hash: 4521D371504200DFEF05DF14DAC0B2ABB69EB88715F24C5AAE9098E357C736D456CBB1
                                                                                                                              Function 04DD93F4 Relevance: .1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 910b77523f20ff801bc82948ab6211c9ac63b04f64e2871ae7a0dcf50172c1c4
                                                                                                                              • Instruction ID: 802eca84fc04a53cad78bd1e5ac384e52dc597944844ffea392eacb14b04a71c
                                                                                                                              • Opcode Fuzzy Hash: 910b77523f20ff801bc82948ab6211c9ac63b04f64e2871ae7a0dcf50172c1c4
                                                                                                                              • Instruction Fuzzy Hash: 89317CB0A017448EDB60CF6AC08838AFFF6FB89310F28C46ED44D9B245D675A4818B65
                                                                                                                              Function 0369F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 80db9548f52f629048df1e2432b3395ac01cc7a44fec7e403dd9a7ef995067fb
                                                                                                                              • Instruction ID: be9d1fe90e7941082a317695f8368b42e3445691fec091b407695edd487d43ad
                                                                                                                              • Opcode Fuzzy Hash: 80db9548f52f629048df1e2432b3395ac01cc7a44fec7e403dd9a7ef995067fb
                                                                                                                              • Instruction Fuzzy Hash: 11212271604200DFEF10DF24CAD4B26BFADEB84325F26C5AAD8098F356C33AD446CA61
                                                                                                                              Function 04DD9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7f86de5ce39ce9ed4b6433bcb4c0d81d5ebceed06abbaa1ae98f9d32f4bf6f26
                                                                                                                              • Instruction ID: 678c470cd7429cc48a5b0e193f1cdd9ff845ff748fdcfeeaea8f62beebb4b318
                                                                                                                              • Opcode Fuzzy Hash: 7f86de5ce39ce9ed4b6433bcb4c0d81d5ebceed06abbaa1ae98f9d32f4bf6f26
                                                                                                                              • Instruction Fuzzy Hash: 5E217AB0A017448EDB60CF6AC48878AFFF6FB89310F28C46ED85D9B245D775A4818F65
                                                                                                                              Function 04DD767C Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e247d8c7752ec69906d1341d85436d07f558da5a7902586d01e2be31ff35ddfa
                                                                                                                              • Instruction ID: eed95270392b765726e36294a4814f3ce50cb79310bb266f8be696d9db5eba75
                                                                                                                              • Opcode Fuzzy Hash: e247d8c7752ec69906d1341d85436d07f558da5a7902586d01e2be31ff35ddfa
                                                                                                                              • Instruction Fuzzy Hash: 5511FE3A7001188FCF04DFA9D9409ED7BF6FBC8225B1540A9E509EB325DB35ED158B90
                                                                                                                              Function 0369F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction ID: 5b2ec05b2d2559f22199c441d78b796dd97157822e16fdcf6445d23cf3ee181d
                                                                                                                              • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction Fuzzy Hash: DA219A76504240DFDF06CF10DAC4B16BF76FB88614F28C5AAD9094E257C33AD46ACBA1
                                                                                                                              Function 0369F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction ID: a10051383eb4332b3381a62bcb990d4b74d74c0bb164ae98925afd4a05df8200
                                                                                                                              • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction Fuzzy Hash: D111BB75504280CFDB11CF14D6D4B15BFA9FB84228F29C6AAD8098F756C33AD44ACBA1
                                                                                                                              Function 04DDDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9bd3bd62836d86e7e3514a051054928dc36a770937e56296a568f53a7b2f10f0
                                                                                                                              • Instruction ID: c2d497a66ef0738ea55b29cb028adeb57aa7c6d65d4c650f54476c7bf83cb62d
                                                                                                                              • Opcode Fuzzy Hash: 9bd3bd62836d86e7e3514a051054928dc36a770937e56296a568f53a7b2f10f0
                                                                                                                              • Instruction Fuzzy Hash: 11015E35B00214DFCB11AF74E808AAEBBF6FB89315F14406DE91AD7342DB32A911CB91
                                                                                                                              Function 04DDEB70 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 34c3411fd8d872fea9cf8a5cbaddd478c424f19d5b1ca76e16aa585d04efef1b
                                                                                                                              • Instruction ID: ab58d221a304a3250728bc9f0c3cf8fb6b817dff5034cc6f863bf9ad1d7095ce
                                                                                                                              • Opcode Fuzzy Hash: 34c3411fd8d872fea9cf8a5cbaddd478c424f19d5b1ca76e16aa585d04efef1b
                                                                                                                              • Instruction Fuzzy Hash: A9110934204750CFC728DF75D48185ABBF6EF8931576489ADD44A8B7A0DB36F941CB50
                                                                                                                              Function 0369D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 65fd84ed3e60542485a140881b40b5f68fb356b5ca87f4ca3f629133ad260dd2
                                                                                                                              • Instruction ID: 336686e147439b9d0d3d63e151cf88d0031c7a5e2c00fd0463006dc8d501b665
                                                                                                                              • Opcode Fuzzy Hash: 65fd84ed3e60542485a140881b40b5f68fb356b5ca87f4ca3f629133ad260dd2
                                                                                                                              • Instruction Fuzzy Hash: C0015E714093809FEB168F25CD94752BFA8EF43224F1985DBE8888F297C2799845CB71
                                                                                                                              Function 0369D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7d3c36f185dc62ef9a0745a7c88b6e82d83c67159ee09d571b4ffc029ee224ce
                                                                                                                              • Instruction ID: e77dda5ae71468b2e131316b0ca0fef0a74f1152eb0935f40d988e96e9506533
                                                                                                                              • Opcode Fuzzy Hash: 7d3c36f185dc62ef9a0745a7c88b6e82d83c67159ee09d571b4ffc029ee224ce
                                                                                                                              • Instruction Fuzzy Hash: 240184715093449AFB108E29CE84B67FF9CEF41324F1CC57AED484B246C6799882C6B1
                                                                                                                              Function 04DDBF1C Relevance: .0, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 152f1cc0878b54973715f1570910679acf237b134210e505fd3e39b3aae3dbb0
                                                                                                                              • Instruction ID: ed05a6a1c6f9d8edf7192f9c40f346835edda5ebfc663a3335714438243aed91
                                                                                                                              • Opcode Fuzzy Hash: 152f1cc0878b54973715f1570910679acf237b134210e505fd3e39b3aae3dbb0
                                                                                                                              • Instruction Fuzzy Hash: 1AF0BE323093646FD7008A7A9C94ABBBFEDEBDA621B04407BF944C7351CAB1DD0087A0
                                                                                                                              Function 04DDC367 Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: de91c01450f4bf4fef71b6af2838bf97692fea5305aed558e964912403d73d54
                                                                                                                              • Instruction ID: 8930587dff1fc118213fd5a5f8e50a418e2dd2b3d509b4f3887b44e44f2e34e8
                                                                                                                              • Opcode Fuzzy Hash: de91c01450f4bf4fef71b6af2838bf97692fea5305aed558e964912403d73d54
                                                                                                                              • Instruction Fuzzy Hash: 86F0E9323092405FC3118765985096B7BE5AF86320B0440FFD945CB3A3E921980AC361
                                                                                                                              Function 04DD7958 Relevance: .0, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7e2b39f7f69dd4e665476565ae2517f5d6bb04b44184187f115200542ab23542
                                                                                                                              • Instruction ID: 877e9afa66663c47f8299e7646da4be02121b3c97917b5d5b0867d98018ed99b
                                                                                                                              • Opcode Fuzzy Hash: 7e2b39f7f69dd4e665476565ae2517f5d6bb04b44184187f115200542ab23542
                                                                                                                              • Instruction Fuzzy Hash: D6F0B4727052145FDB149A69E884AAFBBF9EB89221B10056EE04ACB350DE70AD45C7A1
                                                                                                                              Function 0369D993 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 36ab6b04ef9bc6a16512a47ebf360017530b3f8bd0a2143c8fdbfceba62bf6f2
                                                                                                                              • Instruction ID: b83a6fcc52dbb44da9c4b4e59da2e403a932c7558f6fd7d1edbf1a7d29fc499f
                                                                                                                              • Opcode Fuzzy Hash: 36ab6b04ef9bc6a16512a47ebf360017530b3f8bd0a2143c8fdbfceba62bf6f2
                                                                                                                              • Instruction Fuzzy Hash: 59F04976200600AFD720CF0AC984C27FBADEBD4630319C16AEC4A5B711C631FC42CEA0
                                                                                                                              Function 04DDDE38 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 53f262e5674337d50142de1ed68aa1d408713b57742987b6cfd3a479dab59166
                                                                                                                              • Instruction ID: 36a51b2697dd988a83774a9c79deeb7e6dfad70f2cc235d53bb1701d3bd986f4
                                                                                                                              • Opcode Fuzzy Hash: 53f262e5674337d50142de1ed68aa1d408713b57742987b6cfd3a479dab59166
                                                                                                                              • Instruction Fuzzy Hash: D4F08C353042408FC7108F2DD8948A6BBFAEFCE71532940EAE584CB332DAA1EC01DB90
                                                                                                                              Function 0369D984 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1743765938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_369d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f08a3b702c00d07ee990ef9f12962828df685986a8ac7d480bd7d85e78a40a76
                                                                                                                              • Instruction ID: 93d541e7b9de57c5122ba62b4f9b5b7324fc3940c8eb60bcafbfa3ef2400237d
                                                                                                                              • Opcode Fuzzy Hash: f08a3b702c00d07ee990ef9f12962828df685986a8ac7d480bd7d85e78a40a76
                                                                                                                              • Instruction Fuzzy Hash: AAF0F975100640AFD725CF06C984D23BBBDEB95620B19859AA84A5B752C631FC42CFA0
                                                                                                                              Function 04DDC4CB Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 78a6257ad3c14977cacdc44c928c77d41c2d324bcd68fab53689dec7eb095782
                                                                                                                              • Instruction ID: bc5c7f0e086f15435240a753537fcac1da05472c2b95ff6590859ea339325586
                                                                                                                              • Opcode Fuzzy Hash: 78a6257ad3c14977cacdc44c928c77d41c2d324bcd68fab53689dec7eb095782
                                                                                                                              • Instruction Fuzzy Hash: 1CF082752002009FE704DB28E9409AAB796EFC12197158A7ED24DDF724DE32AC4AC7B4
                                                                                                                              Function 04DDF7C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 07165a0474577ccfffa40766aa428128bd6ea31bfc58e49e6dc8782e842cc3d2
                                                                                                                              • Instruction ID: 89261def25c640b3b02e8c18c7e7df1a8293b1166ca4539ecc1f9fc6e7e057ca
                                                                                                                              • Opcode Fuzzy Hash: 07165a0474577ccfffa40766aa428128bd6ea31bfc58e49e6dc8782e842cc3d2
                                                                                                                              • Instruction Fuzzy Hash: FA01E4B1D1074ADBCB04CFE4C944AEDBBB5FF99300F20072EE016A6600EBB06685CB81
                                                                                                                              Function 04DD7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0f295a00dbdc9cff981b7260515e63dae06559da5d607e04c76cdad55a686a0c
                                                                                                                              • Instruction ID: 832b3958143ace48815ec74e3b8ab9b45faaf212fc2cffbf0c9189e74aa5a01b
                                                                                                                              • Opcode Fuzzy Hash: 0f295a00dbdc9cff981b7260515e63dae06559da5d607e04c76cdad55a686a0c
                                                                                                                              • Instruction Fuzzy Hash: 37F0A0727006149FDB149A6AE884A6FB7F9EBC8271B00092DE14AC7340DF71AC4187B4
                                                                                                                              Function 04DDC4D0 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f89d9cf7fb3519e2aa0dbc5169d21da6b58dab078ed68815eb27673b96925963
                                                                                                                              • Instruction ID: 08473d59bcd25c92d2b2383fb6fc711518389e2d5fd95400d1f3ed238cbe4a32
                                                                                                                              • Opcode Fuzzy Hash: f89d9cf7fb3519e2aa0dbc5169d21da6b58dab078ed68815eb27673b96925963
                                                                                                                              • Instruction Fuzzy Hash: DBF082752002049BD704E729D94095AB79AEFC22597118A3ED24D9F724DE71EC0987F4
                                                                                                                              Function 04DDF7C3 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 79da44aae35c5a0ab2587367da3efd1d39ae03f56311e031cab5c295376c7765
                                                                                                                              • Instruction ID: 4ca93e9d275e4e22051646238f68e1f016fa8f30d3ae43a05592170f185f5109
                                                                                                                              • Opcode Fuzzy Hash: 79da44aae35c5a0ab2587367da3efd1d39ae03f56311e031cab5c295376c7765
                                                                                                                              • Instruction Fuzzy Hash: C501D6B1D1074ADACB44CFE4C9446EDBBB1FF99300F24072EE015A6A40E7B06685CB81
                                                                                                                              Function 04DD90D9 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1e1932ed62b89844f303cd2e138a2c55bf65d75888991c4266fb7882e0451962
                                                                                                                              • Instruction ID: 5bd43d253a8c5ae0919caaf1e4d2a602298b56adab07e40dc06ef1989d31536c
                                                                                                                              • Opcode Fuzzy Hash: 1e1932ed62b89844f303cd2e138a2c55bf65d75888991c4266fb7882e0451962
                                                                                                                              • Instruction Fuzzy Hash: DFF024357042058FF755AB28C0193ABBBA6EFC432DF20816ED45A4B384CF396846CBA1
                                                                                                                              Function 04DDDCE4 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 57d8a10d573ed39c055bf8417fc8bc1a2be9403d0f14525950fcb4b217148ab6
                                                                                                                              • Instruction ID: a05fdb76a8924ddea4a414b550e2c9fcdcb0d390c5fe064597e5c0e5942be28a
                                                                                                                              • Opcode Fuzzy Hash: 57d8a10d573ed39c055bf8417fc8bc1a2be9403d0f14525950fcb4b217148ab6
                                                                                                                              • Instruction Fuzzy Hash: 03F0EC35B04054ABCF1885ADE4014FCBB76DFCD221F04807BD54AEB341D671541687A1
                                                                                                                              Function 04DD7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 602645654f9bbbcf5897e48ca9c55535ccfb7dbf5363d2786aae65a31bde13ad
                                                                                                                              • Instruction ID: 4f286fd165a0b9828f9b0fb9f0a62c3e300f62eb17dc236bb42894c66c6bae85
                                                                                                                              • Opcode Fuzzy Hash: 602645654f9bbbcf5897e48ca9c55535ccfb7dbf5363d2786aae65a31bde13ad
                                                                                                                              • Instruction Fuzzy Hash: A0F030397002148FCF10EBADDD40AAA7BA6FBC8651B154199E509DF324EF35DC028B91
                                                                                                                              Function 04DD90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd64e72e88eb426ad8d4e1a0d2f6ed63d9ec2c34cdcc294231e2a087991740ad
                                                                                                                              • Instruction ID: b4c983e7f84e7696599f70093fca5215a48ff053c3fe96d8c9c9c44d40832ec6
                                                                                                                              • Opcode Fuzzy Hash: bd64e72e88eb426ad8d4e1a0d2f6ed63d9ec2c34cdcc294231e2a087991740ad
                                                                                                                              • Instruction Fuzzy Hash: D5F0E9356042044BE700AB68C01439B77AADBC071CF20812ED50A4B384CE396801CBE1
                                                                                                                              Function 04DDDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 760715f28de0f5d340ffaeef97c839b306ea78edf260242eaef1aa6bab278426
                                                                                                                              • Instruction ID: 6c6505b26e74215bfffca738d23506ffbc676d60fa9341cf76e3452abd8d2cbb
                                                                                                                              • Opcode Fuzzy Hash: 760715f28de0f5d340ffaeef97c839b306ea78edf260242eaef1aa6bab278426
                                                                                                                              • Instruction Fuzzy Hash: 40E0E5353501118F87109B1DD498C66B7FAEFCE76572900AAE689CB335DA61EC01CB90
                                                                                                                              Function 04DDC33F Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9f62a06e206339afbacd0e4b00c801ce4fe72d8887cb1f13bbad1266cf48f832
                                                                                                                              • Instruction ID: ca186ccf4b45957eac86d232b665820f90f5e10338dff4846f7862567aff8ac9
                                                                                                                              • Opcode Fuzzy Hash: 9f62a06e206339afbacd0e4b00c801ce4fe72d8887cb1f13bbad1266cf48f832
                                                                                                                              • Instruction Fuzzy Hash: 6AE092363052105BD32486BAA484AABA7D6EFD5761F18407DD94AC7391E9629802C650
                                                                                                                              Function 04DDE896 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a5a3609def4cd67c11e2502a9d3ed793a7129e8e6e244388e3d83ebfd015f032
                                                                                                                              • Instruction ID: 70a13de621c76518de3d84486c37d4cc9f0086675ee9289e3bf94b500a929758
                                                                                                                              • Opcode Fuzzy Hash: a5a3609def4cd67c11e2502a9d3ed793a7129e8e6e244388e3d83ebfd015f032
                                                                                                                              • Instruction Fuzzy Hash: 2BF07F39A01118DFCB04CF98E985D9DFBB2FB48325B258155F909AB351CB35ED41CB40
                                                                                                                              Function 04DDE714 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c206afc65f3e0939f629b83150747dba63a54bc3a743369987ced06cdcc3507
                                                                                                                              • Instruction ID: 28ee259f8eaafea72400edef9fa8f6efbb229ca23ec176fb27c4fd51046f1d03
                                                                                                                              • Opcode Fuzzy Hash: 3c206afc65f3e0939f629b83150747dba63a54bc3a743369987ced06cdcc3507
                                                                                                                              • Instruction Fuzzy Hash: 45E0D871B04245AADB144A9DE8945DABB69EB9A260F04057ED545AB240EB6124258290
                                                                                                                              Function 04DDCB63 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0447c46ce81e2223a46c309bc2e9fc02c48e9c8f06e87ba967d9ddf8ef0d2074
                                                                                                                              • Instruction ID: 4f4017e19ef24c8cdccb1b3e877e5d8ff54abfa7449b0d10d7a39369bdddd1de
                                                                                                                              • Opcode Fuzzy Hash: 0447c46ce81e2223a46c309bc2e9fc02c48e9c8f06e87ba967d9ddf8ef0d2074
                                                                                                                              • Instruction Fuzzy Hash: 76E020313002001F9518E75EAC5097EE78BDFC5260365493ED16ED7724CE319C4A8770
                                                                                                                              Function 04DDCB68 Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5c968e68d171962c3f4f4b4dae243c47dc6fe1acdd7c6b11bf1069fe42798b71
                                                                                                                              • Instruction ID: 841494d34eb13d222122a79fe3ee131e2b0fe9824250e09db175060db37bcc81
                                                                                                                              • Opcode Fuzzy Hash: 5c968e68d171962c3f4f4b4dae243c47dc6fe1acdd7c6b11bf1069fe42798b71
                                                                                                                              • Instruction Fuzzy Hash: 4AE0DF313002001F8618E26EAC8192EB78EDEC52603A5893ED26E9B724DE30AC0A43B4
                                                                                                                              Function 04DD9161 Relevance: .0, Instructions: 26COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6bb8a05b84595a571f5d4be8fd80c519b46680af72ebf3b528d1095082d12821
                                                                                                                              • Instruction ID: 20f50896b543b6a0f6bce54d066fe8cfc5a36ea5415233ad09136945182f1349
                                                                                                                              • Opcode Fuzzy Hash: 6bb8a05b84595a571f5d4be8fd80c519b46680af72ebf3b528d1095082d12821
                                                                                                                              • Instruction Fuzzy Hash: 06F015749013048FD764DFB8D4987AABBE9EB44314F10456EE19EDB381CB396981CB50
                                                                                                                              Function 04DD9549 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cb50040483f8cbc49acb61d02650af9a83393c78b9cb654e2472ba242df27a73
                                                                                                                              • Instruction ID: d961bb8231158f80cee42e960e634845d37356d746594023114ab64b21f20712
                                                                                                                              • Opcode Fuzzy Hash: cb50040483f8cbc49acb61d02650af9a83393c78b9cb654e2472ba242df27a73
                                                                                                                              • Instruction Fuzzy Hash: B3E0C2127011111B565435ED1850AB769CEDFC46997040076E915C7341EC41FC0153F0
                                                                                                                              Function 04DD9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 265587203d0ec675d3684c8b74e612ef1892864b6f32e6bbffc0ee28cf8ceefe
                                                                                                                              • Instruction ID: ea12e477ccc07e015097240c928ca1047c2a3fb47d281741b1588c746636272f
                                                                                                                              • Opcode Fuzzy Hash: 265587203d0ec675d3684c8b74e612ef1892864b6f32e6bbffc0ee28cf8ceefe
                                                                                                                              • Instruction Fuzzy Hash: 73F06D709003048BD760DF78D49C39ABBE9FB44314F00446EE14EC7380DB39A8818B90
                                                                                                                              Function 04DDDC96 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1c397020bd24a9320f8488a22072bbe6835d303e8a21ca27b9a5430e84e9237b
                                                                                                                              • Instruction ID: 2aadcb12df26ef547e40e71fa2bc9717932cb98534be7a6d7c0c63c028eca6e0
                                                                                                                              • Opcode Fuzzy Hash: 1c397020bd24a9320f8488a22072bbe6835d303e8a21ca27b9a5430e84e9237b
                                                                                                                              • Instruction Fuzzy Hash: 9AE0CD357806145B8B11B75EA41045FB7EBEFC9671311447EE159CB340DFA4EC0547E5
                                                                                                                              Function 04DD8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: efd51dcfeb726486cfd720b5513c0f787d7c6c5de58a117dc53e74c93f1214f5
                                                                                                                              • Instruction ID: a08d1ebaf757e04bf9b77e7a7851d693d945bced378989229afb141409466b88
                                                                                                                              • Opcode Fuzzy Hash: efd51dcfeb726486cfd720b5513c0f787d7c6c5de58a117dc53e74c93f1214f5
                                                                                                                              • Instruction Fuzzy Hash: DFE0863570461497DB093775A41C6AE7A5EEBC4729F04012FE60ACB382CF796A0283E9
                                                                                                                              Function 04DD8973 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 32549d7741e50f786aa15eb8287e80d67808e158e5d4513bf7fe24b4e7adf327
                                                                                                                              • Instruction ID: f9019b3120f5314fb02c9899b2ca650e3a44950f3293068ff4bbe81c36438da7
                                                                                                                              • Opcode Fuzzy Hash: 32549d7741e50f786aa15eb8287e80d67808e158e5d4513bf7fe24b4e7adf327
                                                                                                                              • Instruction Fuzzy Hash: 7EE0D83570421187EB0D2734A00C2AE7656EFC4729F00012FE516C7341CF74290283D5
                                                                                                                              Function 04DD9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2872ba9812fc37669c0c2fa84187bef791d0043017db4ea194c02060c5ca5192
                                                                                                                              • Instruction ID: bb0e5e6a5d347027193ee4d83e60307a3e59ecdf189f7cd7a6c269d187ed1ced
                                                                                                                              • Opcode Fuzzy Hash: 2872ba9812fc37669c0c2fa84187bef791d0043017db4ea194c02060c5ca5192
                                                                                                                              • Instruction Fuzzy Hash: 48D0A7137012221F165574FE2810ABBA9CECFC46A9B050176FA19C3381EC41FC0253F1
                                                                                                                              Function 04DDDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction ID: 6f3df818286b117d3ee625fddb1cc8ea034e479479d1e1b200f241d5da27c811
                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction Fuzzy Hash: 78E08631B10154978F0899A9D4104EDF7AADBCC221F04807AD94AA7340EA32A91586E1
                                                                                                                              Function 04DDDC98 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b0c96677d5aeec310a76abe7ce46ff633a9b10bec5ab34fa16d81f1e4a042696
                                                                                                                              • Instruction ID: 6338ec466ea64c1c524ac85df4e961ac65b626ab10af771172da0eea6b7176b7
                                                                                                                              • Opcode Fuzzy Hash: b0c96677d5aeec310a76abe7ce46ff633a9b10bec5ab34fa16d81f1e4a042696
                                                                                                                              • Instruction Fuzzy Hash: 2EE0C2357806141B8B11B66EA81085FB7EBEFC8671311402EE12ACB340DEA4EC0547E5
                                                                                                                              Function 04DDC580 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9a45f8d15b114802df7752cd89cc935c6e1d26b8c87d9155b5a0df90924f11e5
                                                                                                                              • Instruction ID: 1389b9c9a5203207d9d2591788bd9b7219708a98493e15b27d26223bb5d4627b
                                                                                                                              • Opcode Fuzzy Hash: 9a45f8d15b114802df7752cd89cc935c6e1d26b8c87d9155b5a0df90924f11e5
                                                                                                                              • Instruction Fuzzy Hash: FEE0CD353042602FC710E76CA8144557BE9EBEA75130400BFF249CB342FE659C04C3E5
                                                                                                                              Function 04DDAF89 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 562a9d699eb2e18743be900e40e918cba8b9ce9973b7068a0547969790b7c4d3
                                                                                                                              • Instruction ID: ec612156fe1a5db2c9479355072bdc0792a20561bf9e8da9a5353142a61c1377
                                                                                                                              • Opcode Fuzzy Hash: 562a9d699eb2e18743be900e40e918cba8b9ce9973b7068a0547969790b7c4d3
                                                                                                                              • Instruction Fuzzy Hash: 89E0C22674C1D217AB0A913E24306BA9FE38BC6124749C1BAE1C8C7301CD518C164390
                                                                                                                              Function 04DDC590 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2adec5d6877377d9d113d983cfbb95c267c5f3a460dcbe77a0c0e473f0d54612
                                                                                                                              • Instruction ID: d752eef49728bd382c7e5d90c8bb57bd4b50c77797394c6dfe1dec58ccdc1312
                                                                                                                              • Opcode Fuzzy Hash: 2adec5d6877377d9d113d983cfbb95c267c5f3a460dcbe77a0c0e473f0d54612
                                                                                                                              • Instruction Fuzzy Hash: BCD0A7353001202B4614F35DB80545977DEDBE9562300003FF60DC7340FE219C05C3E5
                                                                                                                              Function 04DDF868 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction ID: 6c76562cbf309f58ad70130384ad777c0dbf0a855ea14964693aea583342505a
                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction Fuzzy Hash: 06D04CB1D042099F8780DFA9894156DFBF4AB48200B5085AA8919D7201E63196128BD1
                                                                                                                              Function 04DD8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7ee81e78aed781eaa2d2eb72e9dca7fad548ec9152d226a2dc1039b7fa950348
                                                                                                                              • Instruction ID: b64f3721b9eb686fd55aec538899255a07937508b7520c484e6945f141687e13
                                                                                                                              • Opcode Fuzzy Hash: 7ee81e78aed781eaa2d2eb72e9dca7fad548ec9152d226a2dc1039b7fa950348
                                                                                                                              • Instruction Fuzzy Hash: EAD01731C041098BCB08ABA5E81A4BDBB38FA00302F40016DF92756191EB702A4ACAC0
                                                                                                                              Function 04DDF865 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 76055e6400fe9962ffc2d0d20c11c981ad99716a78ae5a8882d740791c166c2a
                                                                                                                              • Instruction ID: 5a67e0278f9e802027739b40b708df2e02a20f1002ce51421aa811b4dff6acf6
                                                                                                                              • Opcode Fuzzy Hash: 76055e6400fe9962ffc2d0d20c11c981ad99716a78ae5a8882d740791c166c2a
                                                                                                                              • Instruction Fuzzy Hash: 3FE04CB1E0114A9F8784DFA9C94156EFBF0EF48204B60C5AE9919D7205E73296528B91
                                                                                                                              Function 04DD8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 50cd8cd7da64e3373bd61e70314388cb42111e8c88b89de9761949d0c0a985de
                                                                                                                              • Instruction ID: a148212ffc7cd1ddab014401c27a90d8d9be6935bb97316ea3b0a69dddfb3128
                                                                                                                              • Opcode Fuzzy Hash: 50cd8cd7da64e3373bd61e70314388cb42111e8c88b89de9761949d0c0a985de
                                                                                                                              • Instruction Fuzzy Hash: 7BD01734E0820E8B8B48EFA4E44686EBBB8EB49201F004169E95997344EB306911DBC1
                                                                                                                              Function 04DD8808 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ecbd8742b4f9306d3e8ac411a4751a7528b0d0f2cc7079ef16e0e965dca4873f
                                                                                                                              • Instruction ID: 5ef79715522b645d9154d93b78613e8c1f709c705252c03293a53441f03cfb14
                                                                                                                              • Opcode Fuzzy Hash: ecbd8742b4f9306d3e8ac411a4751a7528b0d0f2cc7079ef16e0e965dca4873f
                                                                                                                              • Instruction Fuzzy Hash: AFE08C31E0810A8F8758EB64D08646EBFB0EB09201B004159F89997241EB305850DB80
                                                                                                                              Function 04DD8745 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 15003af37e912e21b3b0b27ef5c315344f824ac66969007873f84f7b1f0f69f2
                                                                                                                              • Instruction ID: 995830a7c95429e6414d47b29adea8741d81bb10a595d44445ce241fc5ead67b
                                                                                                                              • Opcode Fuzzy Hash: 15003af37e912e21b3b0b27ef5c315344f824ac66969007873f84f7b1f0f69f2
                                                                                                                              • Instruction Fuzzy Hash: 0FD01731D0404ACBCB09ABA4E86A4FEFF74FB04302B40019DF96756191EB701A8ACB80
                                                                                                                              Function 04DDE9BF Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e11e356ca28ef561863579c55467886e8c80ca9d103a1e3ec3614f66bd13fb84
                                                                                                                              • Instruction ID: d4b572ff286017d7908607b6974954373bc729d8af93a0239eecae429d854acc
                                                                                                                              • Opcode Fuzzy Hash: e11e356ca28ef561863579c55467886e8c80ca9d103a1e3ec3614f66bd13fb84
                                                                                                                              • Instruction Fuzzy Hash: AAD09239B04218CFDB14CB98E884A9CB371FB88325F208065E519AB251CB32E916CB40
                                                                                                                              Function 04DD7EA0 Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 260164f3019bc8ca90ac19d80ba591d6840d5f632af049da05c2481a0d8c3f94
                                                                                                                              • Instruction ID: 900561d7cb2cac22d8e85f6d0b00a21a0f3d9f0da19ef579dc5da91b8b4a8b98
                                                                                                                              • Opcode Fuzzy Hash: 260164f3019bc8ca90ac19d80ba591d6840d5f632af049da05c2481a0d8c3f94
                                                                                                                              • Instruction Fuzzy Hash: 9CC09B555096901BEF51933545DA7016FB357C355DF4551DCD18187855C974C446CB03
                                                                                                                              Function 04DD7932 Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7e009a9b36800e40500000cab2d28272296f0c0bdc2a7ab864c32237948cc745
                                                                                                                              • Instruction ID: 74fd5e774b538fbb0f6f0ffe2c3ad89a1d770d696b83f45d343cabbf9580249b
                                                                                                                              • Opcode Fuzzy Hash: 7e009a9b36800e40500000cab2d28272296f0c0bdc2a7ab864c32237948cc745
                                                                                                                              • Instruction Fuzzy Hash: 3AD012755483849FCB665F78E0C89043F60BB16215B1405DDE84A4E293CA76C449CF41
                                                                                                                              Function 04DDBD49 Relevance: .0, Instructions: 8COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ebeb3af84c9e48c68145d98d3521ac8fccef5c0510bdfa507293d8ce82057d7b
                                                                                                                              • Instruction ID: e1b7f30d43dce9b3aa39b5ff9642503426cbef9dbbe930223c4f119ac384173a
                                                                                                                              • Opcode Fuzzy Hash: ebeb3af84c9e48c68145d98d3521ac8fccef5c0510bdfa507293d8ce82057d7b
                                                                                                                              • Instruction Fuzzy Hash: 43B01221107B9249EB198A36CF413A27FE0C9660F1B4C02E9A5C2CA187F70EE149DB12
                                                                                                                              Function 04DD7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a879ad38454dd587e33a0e7d21529d30042906cf88e5845c880a41c307f63b81
                                                                                                                              • Instruction ID: c6da357710286e35dbb2dc9efce2085c619c752901bfaba7d0e9d0457666815e
                                                                                                                              • Opcode Fuzzy Hash: a879ad38454dd587e33a0e7d21529d30042906cf88e5845c880a41c307f63b81
                                                                                                                              • Instruction Fuzzy Hash: 92B092310447098FC259AF75F4089147329BB4021938008A8E90E0A2928F76E889CA85

                                                                                                                              Non-executed Functions

                                                                                                                              Function 07CD1BE0 Relevance: 20.4, Strings: 16, Instructions: 403COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $c%k$4'^q$4'^q$4'^q$4'^q$840l$840l$tP^q$tP^q$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-1201355405
                                                                                                                              • Opcode ID: 867dbe128b747fce778779cb66df0f960d66116398b0801df1bce60ae21fd527
                                                                                                                              • Instruction ID: fb4d2d8e3bcd4459d5baabd445ec859171b923bbd90add141e3e0400bb77f2af
                                                                                                                              • Opcode Fuzzy Hash: 867dbe128b747fce778779cb66df0f960d66116398b0801df1bce60ae21fd527
                                                                                                                              • Instruction Fuzzy Hash: A8D189B5B0430A8FCB258B6994446AABBF2AFC5210F1980ABD605CF251DB32DD85C7A1
                                                                                                                              Function 07CD3928 Relevance: 12.8, Strings: 10, Instructions: 328COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-2446002323
                                                                                                                              • Opcode ID: 6886f28fe7c74b4408086e597f4f724998fd11894fc46a0cc0d3ef464abff516
                                                                                                                              • Instruction ID: be37355b44e014c95e61cbb7e11d03efde3dc6fcd60e83108fb0d0ed6fade019
                                                                                                                              • Opcode Fuzzy Hash: 6886f28fe7c74b4408086e597f4f724998fd11894fc46a0cc0d3ef464abff516
                                                                                                                              • Instruction Fuzzy Hash: 0AA18DB2704389DFCB149A69984577ABBE6AFC1610F14806FEA09CF391CA35CD45C7A2
                                                                                                                              Function 07CD3678 Relevance: 8.9, Strings: 7, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-1209065596
                                                                                                                              • Opcode ID: d42b68199bde1c042ddedcb87c05c6550ed40b70a7ad9d2e3100952a785ee6f4
                                                                                                                              • Instruction ID: 1903070a63624897782222e8d873428150aa40a87e8bd247be95f4fb642758d6
                                                                                                                              • Opcode Fuzzy Hash: d42b68199bde1c042ddedcb87c05c6550ed40b70a7ad9d2e3100952a785ee6f4
                                                                                                                              • Instruction Fuzzy Hash: 745188F570438ACFCB245A69880026BBBE2AFC2620F15847BD645CB351DB35CD86C7A3
                                                                                                                              Function 07CD0284 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q
                                                                                                                              • API String ID: 0-1041444323
                                                                                                                              • Opcode ID: 31ca2059ac05cb91e75454856ae34bef21ee68809a3fe121615309633edb02bd
                                                                                                                              • Instruction ID: dcdf0946d8d17d08a9782541807a89872d59555f8e0268b43c7ac7e97f3d3de7
                                                                                                                              • Opcode Fuzzy Hash: 31ca2059ac05cb91e75454856ae34bef21ee68809a3fe121615309633edb02bd
                                                                                                                              • Instruction Fuzzy Hash: 3F317BB17493560FC72B162C28206BAAFE65FC2520F2A41AFC142CF357CE558D8943E7
                                                                                                                              Function 04DD7A21 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: 154d32981ddceae2269fa334f1be6f6dce9d5e54bf3b5dde105e1d699a0c706e
                                                                                                                              • Instruction ID: 537843253c9c6427e62a074c41bed8f8ab417bca52f5db90c5ed8fb622877ea2
                                                                                                                              • Opcode Fuzzy Hash: 154d32981ddceae2269fa334f1be6f6dce9d5e54bf3b5dde105e1d699a0c706e
                                                                                                                              • Instruction Fuzzy Hash: 61B18374E012099FDB55DFA9D980A9DFBF2FF88300F20862AD419AB354DB74A945CF90
                                                                                                                              Function 04DD7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: 6ac83399106f56617bb9ec66ca42a97201d5bf2ac0b93bab31c79df3ad17c16b
                                                                                                                              • Instruction ID: d90830dae25c9243344ca3113457bf4ca773ef5ae1257b37f677b850ffdf9cb2
                                                                                                                              • Opcode Fuzzy Hash: 6ac83399106f56617bb9ec66ca42a97201d5bf2ac0b93bab31c79df3ad17c16b
                                                                                                                              • Instruction Fuzzy Hash: 8EB17374E012099FDB54DFA9D980A9DFBF2FF88300F20862AD419AB314DB74A945CF90
                                                                                                                              Function 04DD7210 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1744155484.0000000004DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_4dd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-3297199963
                                                                                                                              • Opcode ID: eaa4560a15b6443e0b035074dbb985b6774ad51d5afe72af61ff239eccecf3bd
                                                                                                                              • Instruction ID: 027935a96151e5fce848970bd1342bc6999050f09e3eee7208a38e4941e75ac0
                                                                                                                              • Opcode Fuzzy Hash: eaa4560a15b6443e0b035074dbb985b6774ad51d5afe72af61ff239eccecf3bd
                                                                                                                              • Instruction Fuzzy Hash: B4915174E012199FDB54DFA9D990A9DFBF1FF48300F20866AE819AB314E730A945CF90
                                                                                                                              Function 07CD5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2125118731
                                                                                                                              • Opcode ID: 1f6a967043097f5054415cec5dc960f3ceae414b4775e94e2c0ef71b6fb8f829
                                                                                                                              • Instruction ID: 620ec4a9cca6c95d085e9bddf84da0febe155c9d22643171301131cb1919010f
                                                                                                                              • Opcode Fuzzy Hash: 1f6a967043097f5054415cec5dc960f3ceae414b4775e94e2c0ef71b6fb8f829
                                                                                                                              • Instruction Fuzzy Hash: C02168B175030A9BDB24192EAC40B37B7DAABC4711F24843AFA05CF385DE79CD518361
                                                                                                                              Function 07CD2108 Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$J3l$J3l
                                                                                                                              • API String ID: 0-168449240
                                                                                                                              • Opcode ID: 547e76ab03f434982cf32d3ee4a042b1f50200897ea63d7c21cb0ea64f4c6198
                                                                                                                              • Instruction ID: 87a45f8fff0fc71e49b44b807b8196d354fadd89e39bc74ce77f859a00548872
                                                                                                                              • Opcode Fuzzy Hash: 547e76ab03f434982cf32d3ee4a042b1f50200897ea63d7c21cb0ea64f4c6198
                                                                                                                              • Instruction Fuzzy Hash: 40117DB25083968FC33657285C005A77FE1BFC2620F1986A7C3619F27AC6319D89C796
                                                                                                                              Function 07CD2190 Relevance: 5.1, Strings: 4, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000003.00000002.1753426240.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_3_2_7cd0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Tc%k$$^q$J3l$J3l
                                                                                                                              • API String ID: 0-3853788859
                                                                                                                              • Opcode ID: 04a8798854bf7ac0e3fa4464e9e3401628fd525010109c6388f510043c7a420c
                                                                                                                              • Instruction ID: 4be507a27e6927618c9394dd6be101555d73d9b3c03184ce19056a99483f0e30
                                                                                                                              • Opcode Fuzzy Hash: 04a8798854bf7ac0e3fa4464e9e3401628fd525010109c6388f510043c7a420c
                                                                                                                              • Instruction Fuzzy Hash: D8119CB160C3868FC31657295C01496BFB1BFD2220B09C2ABC3619F6A6CA349D81C7A6

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:7.4%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 22133 8ac7560 22134 8ac75a3 SetThreadToken 22133->22134 22135 8ac75d1 22134->22135

                                                                                                                              Executed Functions

                                                                                                                              Function 0321B470 Relevance: .3, Instructions: 265COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bf662fa0ba497f73f997c1d8fcf25ae16fef323b36e973059418b97c42d69156
                                                                                                                              • Instruction ID: 258b563850de38e0794709c3f0a7db36bd458723d6f030eda8ef88a33036a4ce
                                                                                                                              • Opcode Fuzzy Hash: bf662fa0ba497f73f997c1d8fcf25ae16fef323b36e973059418b97c42d69156
                                                                                                                              • Instruction Fuzzy Hash: CE919075B017184BDB1AEFB4C5246AEBBE2EFC4604B00891DD05AAF340DF746D4A8BD6
                                                                                                                              Function 0321B490 Relevance: .3, Instructions: 252COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 57e05817d063905b5a1c23676ad7285909aecdcdf00662b14de0a21e5c64c11a
                                                                                                                              • Instruction ID: 32320596f4d54e2969118cecc596e55ede08d2081641f311ac17a4f37517aa61
                                                                                                                              • Opcode Fuzzy Hash: 57e05817d063905b5a1c23676ad7285909aecdcdf00662b14de0a21e5c64c11a
                                                                                                                              • Instruction Fuzzy Hash: 8291AF71B017185BDB2AEFB4C5146AEB7E2EFC4600B00892DD05AAF340DF746D4A8BD6
                                                                                                                              Function 07782308 Relevance: 44.1, Strings: 34, Instructions: 1634COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ,S2l$,S2l$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$p5"k$tP^q$tP^q$tP^q$tP^q$tP^q$tP^q$#"k$$"k$$^q$$^q$$^q$J3l$J3l$J3l$J3l$J3l$J3l$R2l$R2l$r2l$r2l$(l$(l
                                                                                                                              • API String ID: 0-2251473273
                                                                                                                              • Opcode ID: 0aba8f17fd02d53fa9aebe172ca147d1a5ef237eeb7f233cada71b1c2321b0cd
                                                                                                                              • Instruction ID: 0b791d871136aadf0b27113b7a43b2eb8258039e811a56d10b7c4925a46a4c5b
                                                                                                                              • Opcode Fuzzy Hash: 0aba8f17fd02d53fa9aebe172ca147d1a5ef237eeb7f233cada71b1c2321b0cd
                                                                                                                              • Instruction Fuzzy Hash: 75C28CB1B843068FCB65AB6CC8057AABBE1BF86351F14887AD505CF352DB35C845CBA1
                                                                                                                              Function 07783CE8 Relevance: 5.6, Strings: 4, Instructions: 589COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 483 7783ce8-7783d0d 484 7783f00-7783f16 483->484 485 7783d13-7783d18 483->485 495 7783f18-7783f1e 484->495 496 7783f1f-7783f4a 484->496 486 7783d1a-7783d20 485->486 487 7783d30-7783d34 485->487 491 7783d22 486->491 492 7783d24-7783d2e 486->492 488 7783d3a-7783d3c 487->488 489 7783eb0-7783eba 487->489 493 7783d4c 488->493 494 7783d3e-7783d4a 488->494 497 7783ec8-7783ece 489->497 498 7783ebc-7783ec5 489->498 491->487 492->487 502 7783d4e-7783d50 493->502 494->502 495->496 503 77840ce-77840de 496->503 504 7783f50-7783f55 496->504 500 7783ed0-7783ed2 497->500 501 7783ed4-7783ee0 497->501 507 7783ee2-7783efd 500->507 501->507 502->489 508 7783d56-7783d75 502->508 515 77840e0-77840e5 503->515 516 77840e7-7784112 503->516 505 7783f6d-7783f71 504->505 506 7783f57-7783f5d 504->506 513 7784080-778408a 505->513 514 7783f77-7783f79 505->514 509 7783f5f 506->509 510 7783f61-7783f6b 506->510 539 7783d85 508->539 540 7783d77-7783d83 508->540 509->505 510->505 517 778408c-7784094 513->517 518 7784097-778409d 513->518 519 7783f89 514->519 520 7783f7b-7783f87 514->520 515->516 524 7784228-778425d 516->524 525 7784118-778411d 516->525 527 778409f-77840a1 518->527 528 77840a3-77840af 518->528 526 7783f8b-7783f8d 519->526 520->526 543 778428b-7784295 524->543 544 778425f-7784281 524->544 532 778411f-7784125 525->532 533 7784135-7784139 525->533 526->513 530 7783f93-7783fb2 526->530 531 77840b1-77840cb 527->531 528->531 573 7783fc2 530->573 574 7783fb4-7783fc0 530->574 536 7784129-7784133 532->536 537 7784127 532->537 541 77841da-77841e4 533->541 542 778413f-7784141 533->542 536->533 537->533 546 7783d87-7783d89 539->546 540->546 547 77841f1-77841f7 541->547 548 77841e6-77841ee 541->548 550 7784151 542->550 551 7784143-778414f 542->551 553 778429f-77842a5 543->553 554 7784297-778429c 543->554 585 7784283-7784288 544->585 586 77842d5-77842fe 544->586 546->489 556 7783d8f-7783d96 546->556 557 77841f9-77841fb 547->557 558 77841fd-7784209 547->558 552 7784153-7784155 550->552 551->552 552->541 562 778415b-778415d 552->562 563 77842ab-77842b7 553->563 564 77842a7-77842a9 553->564 556->484 559 7783d9c-7783da1 556->559 560 778420b-7784225 557->560 558->560 567 7783db9-7783dc8 559->567 568 7783da3-7783da9 559->568 569 778415f-7784165 562->569 570 7784177-778417e 562->570 572 77842b9-77842d2 563->572 564->572 567->489 596 7783dce-7783dec 567->596 576 7783dab 568->576 577 7783dad-7783db7 568->577 578 7784169-7784175 569->578 579 7784167 569->579 580 7784180-7784186 570->580 581 7784196-77841d7 570->581 575 7783fc4-7783fc6 573->575 574->575 575->513 587 7783fcc-7784003 575->587 576->567 577->567 578->570 579->570 588 7784188 580->588 589 778418a-7784194 580->589 604 778432d-778435c 586->604 605 7784300-7784326 586->605 610 778401d-7784024 587->610 611 7784005-778400b 587->611 588->581 589->581 596->489 608 7783df2-7783e17 596->608 623 778435e-778437b 604->623 624 7784395-778439f 604->624 605->604 608->489 630 7783e1d-7783e24 608->630 617 778403c-778407d 610->617 618 7784026-778402c 610->618 614 778400d 611->614 615 778400f-778401b 611->615 614->610 615->610 619 778402e 618->619 620 7784030-778403a 618->620 619->617 620->617 637 778437d-778438f 623->637 638 77843e5-77843ea 623->638 626 77843a8-77843ae 624->626 627 77843a1-77843a5 624->627 631 77843b0-77843b2 626->631 632 77843b4-77843c0 626->632 634 7783e6a-7783e9d 630->634 635 7783e26-7783e41 630->635 636 77843c2-77843e2 631->636 632->636 653 7783ea4-7783ead 634->653 644 7783e5b-7783e5f 635->644 645 7783e43-7783e49 635->645 637->624 638->637 650 7783e66-7783e68 644->650 647 7783e4b 645->647 648 7783e4d-7783e59 645->648 647->644 648->644 650->653
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                              • API String ID: 0-1420252700
                                                                                                                              • Opcode ID: e9b90daf5146d2b98c34a377d656b4e598bf0391716f556074b10adab5ff09c8
                                                                                                                              • Instruction ID: 11aa9310cb6776eff14c99afa8a7994b9a43311a798245c3dcdf3da354bae80e
                                                                                                                              • Opcode Fuzzy Hash: e9b90daf5146d2b98c34a377d656b4e598bf0391716f556074b10adab5ff09c8
                                                                                                                              • Instruction Fuzzy Hash: EB1288B1B842568FCB55AE6CD8017ABBBE2AF81390F1488BAD500CF351DB76D845C7E1
                                                                                                                              Function 077817B8 Relevance: 2.8, Strings: 2, Instructions: 342COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 767 77817b8-77817da 768 7781969-778197e 767->768 769 77817e0-77817e5 767->769 777 7781980-7781986 768->777 778 7781987-77819b5 768->778 770 77817fd-7781801 769->770 771 77817e7-77817ed 769->771 775 7781914-778191e 770->775 776 7781807-778180b 770->776 773 77817ef 771->773 774 77817f1-77817fb 771->774 773->770 774->770 779 778192c-7781932 775->779 780 7781920-7781929 775->780 781 778184b 776->781 782 778180d-778181e 776->782 777->778 784 77819bb-77819c0 778->784 785 7781b04-7781b34 778->785 787 7781938-7781944 779->787 788 7781934-7781936 779->788 783 778184d-778184f 781->783 782->768 796 7781824-7781829 782->796 783->775 789 7781855-7781859 783->789 790 77819d8-77819dc 784->790 791 77819c2-77819c8 784->791 802 7781b44 785->802 803 7781b36-7781b42 785->803 792 7781946-7781966 787->792 788->792 789->775 797 778185f-7781863 789->797 794 77819e2-77819e4 790->794 795 7781ab4-7781abe 790->795 798 77819ca 791->798 799 77819cc-77819d6 791->799 804 77819f4 794->804 805 77819e6-77819f2 794->805 809 7781acc-7781ad2 795->809 810 7781ac0-7781ac9 795->810 807 778182b-7781831 796->807 808 7781841-7781849 796->808 811 7781865-778186e 797->811 812 7781886 797->812 798->790 799->790 813 7781b46-7781b48 802->813 803->813 814 77819f6-77819f8 804->814 805->814 815 7781833 807->815 816 7781835-778183f 807->816 808->783 818 7781ad8-7781ae4 809->818 819 7781ad4-7781ad6 809->819 820 7781870-7781873 811->820 821 7781875-7781882 811->821 817 7781889-7781911 812->817 823 7781b4a-7781b50 813->823 824 7781b7c-7781b86 813->824 814->795 826 77819fe-7781a16 814->826 815->808 816->808 827 7781ae6-7781b01 818->827 819->827 828 7781884 820->828 821->828 829 7781b5e-7781b79 823->829 830 7781b52-7781b54 823->830 834 7781b88-7781b8d 824->834 835 7781b90-7781b96 824->835 842 7781a18-7781a1e 826->842 843 7781a30-7781a34 826->843 828->817 830->829 839 7781b98-7781b9a 835->839 840 7781b9c-7781ba8 835->840 845 7781baa-7781bc1 839->845 840->845 847 7781a20 842->847 848 7781a22-7781a2e 842->848 852 7781a3a-7781a41 843->852 847->843 848->843 854 7781a48-7781aa5 852->854 855 7781a43-7781a46 852->855 856 7781aaa-7781ab1 854->856 855->856
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (l$(l
                                                                                                                              • API String ID: 0-2440532555
                                                                                                                              • Opcode ID: 25730cf691957ab8eed3ac9dde81c37c8943a6cdcaf7840bcc2609550769cd19
                                                                                                                              • Instruction ID: 883337c623d549b66d04a6ba2b6840bcc31fab7d1aef755efabca8566b9cfe2d
                                                                                                                              • Opcode Fuzzy Hash: 25730cf691957ab8eed3ac9dde81c37c8943a6cdcaf7840bcc2609550769cd19
                                                                                                                              • Instruction Fuzzy Hash: 15B177B1B4024DDFCB54AB69D4016BABBE2AFC6260F54C4BED405CB351DB31D846C7A2
                                                                                                                              Function 08AC755A Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 865 8ac755a-8ac759b 866 8ac75a3-8ac75cf SetThreadToken 865->866 867 8ac75d8-8ac75f5 866->867 868 8ac75d1-8ac75d7 866->868 868->867
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1797859230.0000000008AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_8ac0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ThreadToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3254676861-0
                                                                                                                              • Opcode ID: 5f6d670fb71995741c0eebd6d60b606f26e7f895a1d938e4616c157a8e0eeee9
                                                                                                                              • Instruction ID: 5abf353403afbe6d25635b705477f1de74c4182444950392af3882b340abe2d8
                                                                                                                              • Opcode Fuzzy Hash: 5f6d670fb71995741c0eebd6d60b606f26e7f895a1d938e4616c157a8e0eeee9
                                                                                                                              • Instruction Fuzzy Hash: 011125B59002498FDB10DFAEC584B9EFFF4EF59324F24845AD458A7610C774A944CFA1
                                                                                                                              Function 08AC7560 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 871 8ac7560-8ac75cf SetThreadToken 873 8ac75d8-8ac75f5 871->873 874 8ac75d1-8ac75d7 871->874 874->873
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1797859230.0000000008AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_8ac0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ThreadToken
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3254676861-0
                                                                                                                              • Opcode ID: fc240e26e01c89ead6fe67fb2becaa8c0b7a18e79e229bc639e3931d0f002fff
                                                                                                                              • Instruction ID: 499f769a9ce5ba38308542307e61c3f2a81b448ce19990c3fac69e8fe7d42bec
                                                                                                                              • Opcode Fuzzy Hash: fc240e26e01c89ead6fe67fb2becaa8c0b7a18e79e229bc639e3931d0f002fff
                                                                                                                              • Instruction Fuzzy Hash: EC1122B19002088FCB10DF9EC984B9EFBF8EB58324F24841AD458A7210C774A944CFA1
                                                                                                                              Function 03216FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 877 3216fc8-3216fe7 879 32170ed-321712b 877->879 880 3216fed-3216ff0 877->880 907 3216ff2 call 3217664 880->907 908 3216ff2 call 321767f 880->908 881 3216ff8-321700a 883 3217016-321702b 881->883 884 321700c 881->884 890 3217031-3217041 883->890 891 32170b6-32170cf 883->891 884->883 893 3217043 890->893 894 321704d-321705b call 321bf10 890->894 896 32170d1 891->896 897 32170da-32170db 891->897 893->894 900 3217061-3217065 894->900 896->897 897->879 901 32170a5-32170b0 900->901 902 3217067-3217077 900->902 901->890 901->891 903 3217093-321709d 902->903 904 3217079-3217091 902->904 903->901 904->901 907->881 908->881
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (bq
                                                                                                                              • API String ID: 0-149360118
                                                                                                                              • Opcode ID: 233496aabe5fce44fbfe81e3390e77e831158fa1d372e8e78004c9fcf3a3d523
                                                                                                                              • Instruction ID: 8e86a5a308b7e65cdaaab886476b2b34ee9d68e5a11649f2a1e166010deb8190
                                                                                                                              • Opcode Fuzzy Hash: 233496aabe5fce44fbfe81e3390e77e831158fa1d372e8e78004c9fcf3a3d523
                                                                                                                              • Instruction Fuzzy Hash: E2414C34B142058FDB04DB68C658AAEBBF1EF8D311F1880A8E406AB395DF36DC41CB60
                                                                                                                              Function 0321E610 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 910 321e610-321e63d 911 321e68c-321e6b6 910->911 912 321e63f-321e689 910->912 919 321e73a-321e753 911->919 920 321e6bc-321e6d3 911->920 912->911 922 321e755 919->922 923 321e75e 919->923 934 321e6d5 call 321e774 920->934 935 321e6d5 call 321e7a8 920->935 936 321e6d5 call 321e7b8 920->936 922->923 926 321e75f 923->926 925 321e6db-321e738 925->919 925->920 926->926 934->925 935->925 936->925
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: J3l
                                                                                                                              • API String ID: 0-3862774051
                                                                                                                              • Opcode ID: 4e3bed36a3e6c239575055e743dc814fb53263573a88984853b9cdc8695bf2d1
                                                                                                                              • Instruction ID: 133477bf039d87cd1eea1698c60a58ec0c1aa8f5f95ac72dc9a9bde6bf0d110d
                                                                                                                              • Opcode Fuzzy Hash: 4e3bed36a3e6c239575055e743dc814fb53263573a88984853b9cdc8695bf2d1
                                                                                                                              • Instruction Fuzzy Hash: 5541BE34A063858FCB15DF78D954A9DBFF2EF49204F1481A9D406EB395CB34AC49CB91
                                                                                                                              Function 0321E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 937 321e640-321e6b6 945 321e73a-321e753 937->945 946 321e6bc-321e6d3 937->946 948 321e755 945->948 949 321e75e 945->949 960 321e6d5 call 321e774 946->960 961 321e6d5 call 321e7a8 946->961 962 321e6d5 call 321e7b8 946->962 948->949 952 321e75f 949->952 951 321e6db-321e738 951->945 951->946 952->952 960->951 961->951 962->951
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: J3l
                                                                                                                              • API String ID: 0-3862774051
                                                                                                                              • Opcode ID: 8b16defd48b79918f96a4d8eb1b5442e15fdc5396366101c9f8ee2cd03f317ee
                                                                                                                              • Instruction ID: 8b0c6d33ad827f0ced0b63612ff0b776469d294a30767994aacc4d82179653a9
                                                                                                                              • Opcode Fuzzy Hash: 8b16defd48b79918f96a4d8eb1b5442e15fdc5396366101c9f8ee2cd03f317ee
                                                                                                                              • Instruction Fuzzy Hash: C5316C35A01205DFCB14EF69DA94A9EFBF2FF88304F148568E416AB394DB34AD45CB90
                                                                                                                              Function 0321AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 963 321af98-321af9f 964 321afa6-321afaa 963->964 965 321afa1 call 321a984 963->965 966 321afba-321b055 964->966 967 321afac-321afb9 964->967 965->964 974 321b057-321b05d 966->974 975 321b05e-321b07b 966->975 974->975
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (&^q
                                                                                                                              • API String ID: 0-2067289071
                                                                                                                              • Opcode ID: 83b7faa635d8b196bb7e678182ab6910fa0abc2a80f2adf0543c9f7197ab9932
                                                                                                                              • Instruction ID: 15d98165d71ebfeda4f8fdeabc4680b922464eaa14db4744632f8e811800791a
                                                                                                                              • Opcode Fuzzy Hash: 83b7faa635d8b196bb7e678182ab6910fa0abc2a80f2adf0543c9f7197ab9932
                                                                                                                              • Instruction Fuzzy Hash: B921FC71A042588FCB14DFAED500BAEBFF5EF88320F14806AD008AB340CB759845CBE5
                                                                                                                              Function 0321F3C1 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 978 321f3c1-321f410 979 321f419-321f440 978->979 982 321f441 979->982 982->982
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: U
                                                                                                                              • API String ID: 0-3372436214
                                                                                                                              • Opcode ID: bb09034675a25b4e562bd81e6ec47229bda63e5afde86a725a17bc3dd51bab90
                                                                                                                              • Instruction ID: b810084f376a5e421b11b68356177e6fe1b37f4c638dff70bd0658bc224957b4
                                                                                                                              • Opcode Fuzzy Hash: bb09034675a25b4e562bd81e6ec47229bda63e5afde86a725a17bc3dd51bab90
                                                                                                                              • Instruction Fuzzy Hash: F8010C71D10B5E9FCB04DFE4C9446EEBBB1FF99300F10471AE115AA605EBB06695CB81
                                                                                                                              Function 0321E7B8 Relevance: .3, Instructions: 254COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: aaa12ba665a0b2857668ae876cf34014afbe111c0eac1e7fb519a8eaef76fa80
                                                                                                                              • Instruction ID: 1fee7e437b8123840f93c186b15243a39d91bac90cfbcfd71bd3d5579a12e4f8
                                                                                                                              • Opcode Fuzzy Hash: aaa12ba665a0b2857668ae876cf34014afbe111c0eac1e7fb519a8eaef76fa80
                                                                                                                              • Instruction Fuzzy Hash: B0919234B202198FCB14DF79DA5456EBBE6BF88710B194069E802EB364DF71DC82CB91
                                                                                                                              Function 032129F0 Relevance: .2, Instructions: 205COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ebaafb400ca0ef1dfc115e1b9efb95691fc8f31856cd0e8b2437280fe526bc25
                                                                                                                              • Instruction ID: 7c7915f3ff6471b0c24c9f72cdbf715c28899cd19501812ddaec868fd9248a75
                                                                                                                              • Opcode Fuzzy Hash: ebaafb400ca0ef1dfc115e1b9efb95691fc8f31856cd0e8b2437280fe526bc25
                                                                                                                              • Instruction Fuzzy Hash: FB916970A00205CFCB15CF58C5949AEFBF5FF88310B258999E955AB365C736EC91CB90
                                                                                                                              Function 0321BAB0 Relevance: .2, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 64019d1c15ea3bbe1efa72e186059774cfac216c4a0eaba47583eaa74969ab7b
                                                                                                                              • Instruction ID: b9b4eee8ec50119cbb4e75d0969f3263f433d51b350b498325576f3e6e6434db
                                                                                                                              • Opcode Fuzzy Hash: 64019d1c15ea3bbe1efa72e186059774cfac216c4a0eaba47583eaa74969ab7b
                                                                                                                              • Instruction Fuzzy Hash: 35613875E013498FCB14CFA9C594A8DFFF5EF98310F18816AE809AB365DB349885CB90
                                                                                                                              Function 03217728 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1871fca809452cfc741b5ce7fa071ce07ac92f7c01bc0534e0fcdfaed1d321ff
                                                                                                                              • Instruction ID: 3da6c50cb8972d54b26e76e2c8b95bb36ce11c8319d847148e6ca955515dee59
                                                                                                                              • Opcode Fuzzy Hash: 1871fca809452cfc741b5ce7fa071ce07ac92f7c01bc0534e0fcdfaed1d321ff
                                                                                                                              • Instruction Fuzzy Hash: 9951F2353142059FD705DB6DD944A2AB7EAFFC8310F1984A9E509CB392EB71EC41CBA0
                                                                                                                              Function 0321BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a77dbc79af3603e06e2e645259d90bff81c476eb033b08cd5d9f16b00a12660
                                                                                                                              • Instruction ID: d99e9332191f35ac3e171a70559fd90a7464eae745c52b4922eacf3aed057847
                                                                                                                              • Opcode Fuzzy Hash: 3a77dbc79af3603e06e2e645259d90bff81c476eb033b08cd5d9f16b00a12660
                                                                                                                              • Instruction Fuzzy Hash: 4D611771E112498FCB14DFA9C584ADDFBF5EF98310F19816AE809AB354DB749881CB90
                                                                                                                              Function 0321E419 Relevance: .1, Instructions: 141COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d3f77fff87d9c072c17ed7534fe9824a0e2ebe4a8af54c467c073715d40336e
                                                                                                                              • Instruction ID: 8f1ca4c3f5822ce74204503bd4e2ec5389ce04700559357c1ebd24b5f672123f
                                                                                                                              • Opcode Fuzzy Hash: 5d3f77fff87d9c072c17ed7534fe9824a0e2ebe4a8af54c467c073715d40336e
                                                                                                                              • Instruction Fuzzy Hash: 6C5163347102068FCB10DF6CCA94969BBE6EFD831471685A9F809CF365EB74DC418B90
                                                                                                                              Function 0321E428 Relevance: .1, Instructions: 130COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f2fa60f659972e9f8efedd9b4659245438e242ed75fcbb225544c1050515348d
                                                                                                                              • Instruction ID: e16abd7c828d1cd8f1b48911a98516e64cdadfbf2d9e0390f5caf09f200617f8
                                                                                                                              • Opcode Fuzzy Hash: f2fa60f659972e9f8efedd9b4659245438e242ed75fcbb225544c1050515348d
                                                                                                                              • Instruction Fuzzy Hash: CC4131747102068FCB10DF6CCA9496ABBE6EFD8314B1684A9F909DF365EB74DC418B90
                                                                                                                              Function 07783CCD Relevance: .1, Instructions: 126COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3f009d9cfd668002bb460c9869c62959696d938de978ab2a4dffc0d24b9fdb53
                                                                                                                              • Instruction ID: 50ac71fc2643cf1425b467f904ea9c0ed812c2dce2b07bf3c139e99480bfe1e5
                                                                                                                              • Opcode Fuzzy Hash: 3f009d9cfd668002bb460c9869c62959696d938de978ab2a4dffc0d24b9fdb53
                                                                                                                              • Instruction Fuzzy Hash: 7E412BF1A40206CFCB559F6CC441B6EBBE2AF45B90F144496D5009F355D739DC45CBA1
                                                                                                                              Function 03216FA0 Relevance: .1, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 39dea1da28bf0b68fbbd39a843ffd2753a756e5d90899e57a336d13f2fc615a0
                                                                                                                              • Instruction ID: 89fcd95a2909a07a0938fed529e4b4dd524cc61b4a23b1e328681b54d5e47c76
                                                                                                                              • Opcode Fuzzy Hash: 39dea1da28bf0b68fbbd39a843ffd2753a756e5d90899e57a336d13f2fc615a0
                                                                                                                              • Instruction Fuzzy Hash: C8417F346142458FDB05CF68CA54AAEBFF1AF9E310F1980A9D445EB3A2DB35DC41CB60
                                                                                                                              Function 03212B00 Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5562a344166f776dce7181520808252f5ac496e9773aab8f9e7c49214bd85169
                                                                                                                              • Instruction ID: de6f01f7ea916297c5b0023dc3532929219185aa8855821e37170590382f4fc7
                                                                                                                              • Opcode Fuzzy Hash: 5562a344166f776dce7181520808252f5ac496e9773aab8f9e7c49214bd85169
                                                                                                                              • Instruction Fuzzy Hash: A84147B4A10605CFCB05CF58C298AAAF7B5FF48310B158599D915AB364C736FD91CF90
                                                                                                                              Function 0321C388 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c828734bec4bd6dbfbf758d419cdf9528de0c18a0f85682f6ccc054cd9fac0a6
                                                                                                                              • Instruction ID: 70c509594edc19366bc444aa5eaaea75683a79a387edd5613a985d0c6fdae005
                                                                                                                              • Opcode Fuzzy Hash: c828734bec4bd6dbfbf758d419cdf9528de0c18a0f85682f6ccc054cd9fac0a6
                                                                                                                              • Instruction Fuzzy Hash: 7231BE353013019FD705EB78E950BAAB796EFC4215F04827AD10ACB3A5DF71A889CBA0
                                                                                                                              Function 0321AE60 Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 59571324b2f37f6bb37780c7c17f64b16c1f9bf7d1ebf7f9d30a09046f22bfbd
                                                                                                                              • Instruction ID: 79a01db85736256cc56aba32acc82f85cd8e70e28c3584c1afad184c646042db
                                                                                                                              • Opcode Fuzzy Hash: 59571324b2f37f6bb37780c7c17f64b16c1f9bf7d1ebf7f9d30a09046f22bfbd
                                                                                                                              • Instruction Fuzzy Hash: D7316D74E112098FCB15DFA9C5946AEBBF6EF88310F1480A9E405EB754EB758C818BA1
                                                                                                                              Function 0321AE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7a32ae4790581c7e2c5efcd6585e972bd5d085960a1ae5572f43cff0c20361f7
                                                                                                                              • Instruction ID: 403016934e20369f7aba147bcee4364b4d2e17e19abb785bb714228e55c82422
                                                                                                                              • Opcode Fuzzy Hash: 7a32ae4790581c7e2c5efcd6585e972bd5d085960a1ae5572f43cff0c20361f7
                                                                                                                              • Instruction Fuzzy Hash: A9314C74E112098FDB14DFA9C5947AEBAF6EF88310F148069E405EB354EB758C818BA1
                                                                                                                              Function 0321AD28 Relevance: .1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 89bf31c350ccd02875c9aff041d16592562a0e503216930fce158fa1adbd1d23
                                                                                                                              • Instruction ID: 12ea1548aba5885e61e096a53c310ee79987903aa2e281cb957b371851f9fd36
                                                                                                                              • Opcode Fuzzy Hash: 89bf31c350ccd02875c9aff041d16592562a0e503216930fce158fa1adbd1d23
                                                                                                                              • Instruction Fuzzy Hash: D43190B8A013499FDB01DB74D854AEFBBB2EFC4300F1184A9D115AF3A5CA759D428B91
                                                                                                                              Function 0321E049 Relevance: .1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 38067ef1eae06d50d341c9aaba79b273c10105f8b408c8ffda3297612130c622
                                                                                                                              • Instruction ID: 2d25500dbd67b5a52254a07f606602b9ffa9c1e2ca0def3d54a9f2f99929eb20
                                                                                                                              • Opcode Fuzzy Hash: 38067ef1eae06d50d341c9aaba79b273c10105f8b408c8ffda3297612130c622
                                                                                                                              • Instruction Fuzzy Hash: 5C319C34A012148FCB54DF68D498A9EBBF2EF89314F0545ADD806EB3A1CB709C80CB91
                                                                                                                              Function 0321E058 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 845eaf629f8d83fb629771b241dba44c6a99ca03ca08d893029ebbabee66bed2
                                                                                                                              • Instruction ID: ac83210130a82f5bd343f167fded0a59d2cbdbca180a732f2b677cbbd5f02ca6
                                                                                                                              • Opcode Fuzzy Hash: 845eaf629f8d83fb629771b241dba44c6a99ca03ca08d893029ebbabee66bed2
                                                                                                                              • Instruction Fuzzy Hash: 97317A34A112148FCB54DF68D598A9EBBF6FF88314F058569D806EB390DF74AC85CB90
                                                                                                                              Function 0321AD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 125be371213b715c000d6f2ab00ca46530df9df43d79f01d962fb8768263db4c
                                                                                                                              • Instruction ID: 9d21ed9d3a93902a8479f47a19488c0359ab961b213979058e6ee581d4845080
                                                                                                                              • Opcode Fuzzy Hash: 125be371213b715c000d6f2ab00ca46530df9df43d79f01d962fb8768263db4c
                                                                                                                              • Instruction Fuzzy Hash: 153150B8E012099FDB04EFA4D854AEFB7B2EFC4300F1184A9D115AF394DA35AD418F91
                                                                                                                              Function 0300F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 930498806c594d1016d82e58ba5bf560698ef0776ac125a672c037ebaae4dbe2
                                                                                                                              • Instruction ID: 00b73c2ae0563bb4046b7b69b12813026ac27c6082205aad0529285bfd9f3ef8
                                                                                                                              • Opcode Fuzzy Hash: 930498806c594d1016d82e58ba5bf560698ef0776ac125a672c037ebaae4dbe2
                                                                                                                              • Instruction Fuzzy Hash: FF214471508201EFEB15DF14D9C0B2ABFA5FB88314F24C5A9ED094A696C336C456DBA1
                                                                                                                              Function 032193F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fae4e3f1a34b5ccb054eafb5bd7f2adf5bf235992af42e5644a3e58b51bcc3dd
                                                                                                                              • Instruction ID: c2518c1b6bb232de2fcd001037e111b5e4eeabbedda23add2d94a4cab07248b3
                                                                                                                              • Opcode Fuzzy Hash: fae4e3f1a34b5ccb054eafb5bd7f2adf5bf235992af42e5644a3e58b51bcc3dd
                                                                                                                              • Instruction Fuzzy Hash: FD319A749057888EDB60CF6AC1887CAFFE2EF99324F28C46DC44DAB205C7B45481CBA1
                                                                                                                              Function 0300F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 21e99af79fbfa01e2e23a20dd3494504873b428a0a887789705e33d4390c841c
                                                                                                                              • Instruction ID: 6a384bb6c3f64a4f3bb5d5d42b7c56b28c3080dd286e19069bff70bbb668e622
                                                                                                                              • Opcode Fuzzy Hash: 21e99af79fbfa01e2e23a20dd3494504873b428a0a887789705e33d4390c841c
                                                                                                                              • Instruction Fuzzy Hash: D8214671605201DFEB20DF24CAC0B2ABFA5FB84314F24CAADD9094B296C33AD446DA61
                                                                                                                              Function 0300F4CC Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ef0469cc0aac4f8c91d1c74ef469e85acf2d37d4ef94d3c188028d60f8e6bacf
                                                                                                                              • Instruction ID: 3a939a7fa053aed9886a3ee516bee53c41b0bb0df1e2639802c724f17c1eb214
                                                                                                                              • Opcode Fuzzy Hash: ef0469cc0aac4f8c91d1c74ef469e85acf2d37d4ef94d3c188028d60f8e6bacf
                                                                                                                              • Instruction Fuzzy Hash: F7216AB1605241DFEB24DF58D5C4B2ABBE9FB84318F24CABDDA094B381C73AD446C661
                                                                                                                              Function 03219400 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: af014f5c0992289692e1e78bbd5d1e548747ddde766b2db7299f99efd23108c2
                                                                                                                              • Instruction ID: cb28848795bc5baaf54da1eadd33b19eb6c4eb91b05b743b196cf7f37c4b368e
                                                                                                                              • Opcode Fuzzy Hash: af014f5c0992289692e1e78bbd5d1e548747ddde766b2db7299f99efd23108c2
                                                                                                                              • Instruction Fuzzy Hash: 74216B749117488EDB60CF6AC18838AFBF6EB99314F28C46ED45DAB245C7746481CBA1
                                                                                                                              Function 03217664 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c83af8a21fc3802b68a18eb5f2d7fafb59c321f8a04d83ca1e8e4fdec15279a6
                                                                                                                              • Instruction ID: 26be015d9e0f5db79fb4c9b73851b1d7ade977a50c37af1aa17cc59b7e726b01
                                                                                                                              • Opcode Fuzzy Hash: c83af8a21fc3802b68a18eb5f2d7fafb59c321f8a04d83ca1e8e4fdec15279a6
                                                                                                                              • Instruction Fuzzy Hash: EB115B3A7101198FCB00DBACE9409DEB7F6EBCC221B0540A5E509EB365DB31DC558BA0
                                                                                                                              Function 0300F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction ID: 5b831f96550474ab1ca1113ec369cb61c7d8b4fd2eaf57c3cbef3d187a0f26d6
                                                                                                                              • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction Fuzzy Hash: 1E21FD76508240DFDF16CF10D9C0B16BFB2FB88314F28C5A9DC080A696C33AC46ADB91
                                                                                                                              Function 0300F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction ID: fe2d21d4239f60445f2e5c69fb93cf09fb5b5503cd26e406d8e1def4a35f2cbf
                                                                                                                              • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction Fuzzy Hash: 9111DD75505280CFDB21CF14D6C4B15FFA1FB84328F28C6AAD8094B696C33AD44ADBA1
                                                                                                                              Function 0321BCE0 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 47ea88d715ba66b9ecf6350e066ad09e3d1380d823342e33f5027d8754485088
                                                                                                                              • Instruction ID: 9e551e58426135b1603f92266edf70a9df9c4c6160c5aa63b061ea3b47006c75
                                                                                                                              • Opcode Fuzzy Hash: 47ea88d715ba66b9ecf6350e066ad09e3d1380d823342e33f5027d8754485088
                                                                                                                              • Instruction Fuzzy Hash: C701F5312087849FC719CB79D694A5ABFF4EF46250F1848EED08ECB6A2CB60EC85C701
                                                                                                                              Function 0300F4C7 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
                                                                                                                              • Instruction ID: d4b3588481de4a3ff10f44438e3f3afb733d4ead127edd44deff129d167d0559
                                                                                                                              • Opcode Fuzzy Hash: 4d665c26fdf2e41719453451e761cbdf10fc541dd54c629a760ea53c53009e51
                                                                                                                              • Instruction Fuzzy Hash: CB11E075505280CFEB25DF14D5C4B25FBB1FB44314F28C6ADC9498B692C33AD44ACB92
                                                                                                                              Function 0321BF10 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f780c30fedfbc92b54c06e72d97f6dca27388b2f83e587524b2ead4a6d47e111
                                                                                                                              • Instruction ID: 079a0e040dc4146d8eca28d5f7555ab23f2b825db3806e656d09f2e1cd4d7936
                                                                                                                              • Opcode Fuzzy Hash: f780c30fedfbc92b54c06e72d97f6dca27388b2f83e587524b2ead4a6d47e111
                                                                                                                              • Instruction Fuzzy Hash: 8801D63231D3E11FD7118A7A8C44967BFF9DF9652170941EBF584CB2A2CA61C904C7A0
                                                                                                                              Function 0321DF20 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 515f7bc743af4b5ca1f61c4e4a5c5eff92f01abaa8ed06b3d7fcc995390213e2
                                                                                                                              • Instruction ID: 0d8b65e109a176f4afcf5ffd6045e02e08e9303a5e23474803ade911223cad0e
                                                                                                                              • Opcode Fuzzy Hash: 515f7bc743af4b5ca1f61c4e4a5c5eff92f01abaa8ed06b3d7fcc995390213e2
                                                                                                                              • Instruction Fuzzy Hash: FC0140357012189FCB119B74E818AAEBBF5FB89215B1440ADE91AD3342DB315911CB91
                                                                                                                              Function 0321DE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2316359808ed7315b1326d3e78a397df33e6174015a51e7d480481517ecca683
                                                                                                                              • Instruction ID: ff9ea1dc51c3d1e2af317ba52339316077a035e7778a3109a1b9c39e8b10b795
                                                                                                                              • Opcode Fuzzy Hash: 2316359808ed7315b1326d3e78a397df33e6174015a51e7d480481517ecca683
                                                                                                                              • Instruction Fuzzy Hash: 50110534214750CFC728DF75D48186ABBF6EF8921976489ADD08A8B7A0DB36F942CB50
                                                                                                                              Function 0300D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2778db227e2a76d803dd4c4cf451290507b5ecd56054dbcefda298941bee3d22
                                                                                                                              • Instruction ID: d56bba107280e72084962533296f0a96b2094529108a57480301a5449d9da70b
                                                                                                                              • Opcode Fuzzy Hash: 2778db227e2a76d803dd4c4cf451290507b5ecd56054dbcefda298941bee3d22
                                                                                                                              • Instruction Fuzzy Hash: 9C018F7150A3449AF7508A69CA84B6BFFDCEF41324F1CC96AED4C4A286C679D841C6B1
                                                                                                                              Function 0300D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2364652300f51d5f4a0d03887229792f221f338694617e93df2e629334da2bff
                                                                                                                              • Instruction ID: 0424c8a3f2933dcc85f8cfc7375a6d5254e2f21de6975e960ceb54c8d6255ea5
                                                                                                                              • Opcode Fuzzy Hash: 2364652300f51d5f4a0d03887229792f221f338694617e93df2e629334da2bff
                                                                                                                              • Instruction Fuzzy Hash: 6301407140E3C09EE7128B25C994B52BFB8EF53224F1D80CBD9888F1A7C2699845C772
                                                                                                                              Function 03217940 Relevance: .0, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b11886a016c28830802a217f67378341c17a72a75dba8e457abe6915866f35d4
                                                                                                                              • Instruction ID: 6e22f7e436277d6286e937d0c667f428014b801c0a7b301f7251a53686176216
                                                                                                                              • Opcode Fuzzy Hash: b11886a016c28830802a217f67378341c17a72a75dba8e457abe6915866f35d4
                                                                                                                              • Instruction Fuzzy Hash: 2BF028753093804FD3129728E840A5FBBE5DB8A321F00059EE0498B291CE705C44C361
                                                                                                                              Function 0300D993 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c96c2640bffb0444c706aafbd75136d39f4a006113bcbe3992a7737fc3b29d1c
                                                                                                                              • Instruction ID: b0061bc3a5dbde059283810d3ace4ea3b4eb599b0590204ce499a94bcf6e1041
                                                                                                                              • Opcode Fuzzy Hash: c96c2640bffb0444c706aafbd75136d39f4a006113bcbe3992a7737fc3b29d1c
                                                                                                                              • Instruction Fuzzy Hash: E4F0E276201604AF9720CF0AD984C27FBA9EBD4674719C5AAE84A4B656C671E842CAA0
                                                                                                                              Function 032190D8 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4c1c9cd6474c0840c593d904d8323bb99b882045f58eb32a2272cd900b76c779
                                                                                                                              • Instruction ID: b24d5a27f1c9416796d405731b142bde2bc12a34c7ae3d07772484d6c9e17077
                                                                                                                              • Opcode Fuzzy Hash: 4c1c9cd6474c0840c593d904d8323bb99b882045f58eb32a2272cd900b76c779
                                                                                                                              • Instruction Fuzzy Hash: 9EF0C8396047445FE701DB24C4153EB7BA5EFC2725F1080AEC5094F381DD796906C7E1
                                                                                                                              Function 0321DE38 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dfbbcfa09464b2752c51de0a3036d0e9c3918f8a448c4ca43e8fae0e4339d238
                                                                                                                              • Instruction ID: 7b1808b2edda02db41c07d408ba1075bf0145f9fe9ed81590dd2a9dcf20108a7
                                                                                                                              • Opcode Fuzzy Hash: dfbbcfa09464b2752c51de0a3036d0e9c3918f8a448c4ca43e8fae0e4339d238
                                                                                                                              • Instruction Fuzzy Hash: 61F05E343541418FC7118B2CD594C76BBF5AFDA65A31911EAE185DB332DA61CC51CB90
                                                                                                                              Function 0300D984 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1772672037.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_300d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 74c2e02138fdb14128dfce5e46764467fa2cf79bdca79170016b209048492ca2
                                                                                                                              • Instruction ID: 760ec458ddb4b08be3cf1f0b593be733e7278562ac11ceb875dbdb7fd8cf9908
                                                                                                                              • Opcode Fuzzy Hash: 74c2e02138fdb14128dfce5e46764467fa2cf79bdca79170016b209048492ca2
                                                                                                                              • Instruction Fuzzy Hash: 3CF04975100A80AFD321CF06C984D23BBB9EB95634B198489A88A4B752C630FC42CFA0
                                                                                                                              Function 0321F3D0 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9cba9d1262221b107032b6cabc18b825c6cf7523d9d7d4d06325a7b367fee540
                                                                                                                              • Instruction ID: 4e053201d596fa194d0c4a9660542b496481671f10ad7220fcd4ae99841a0161
                                                                                                                              • Opcode Fuzzy Hash: 9cba9d1262221b107032b6cabc18b825c6cf7523d9d7d4d06325a7b367fee540
                                                                                                                              • Instruction Fuzzy Hash: 6501C071D1075AAACB04DFE4C9446EEBBB1FFA9300F10472AE015A6604EBB02696CB80
                                                                                                                              Function 03219158 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e053d12f4495f8a98f883c276f4ff0f7f6af93e9344d667e09e533c99bb98ed9
                                                                                                                              • Instruction ID: ffcdd7c6f76e00b429f636374600a0fe9fbee83ace700925bf4fb4986a869ed7
                                                                                                                              • Opcode Fuzzy Hash: e053d12f4495f8a98f883c276f4ff0f7f6af93e9344d667e09e533c99bb98ed9
                                                                                                                              • Instruction Fuzzy Hash: 60F090345093544FD7618F78D89838A7FA4EF42210F4444AAD54ECB282DB346881C791
                                                                                                                              Function 03217950 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e957eb0e9faafbc3dd76a2b2e4476f04c3aaef48110a6490bcb1df53a0262b1e
                                                                                                                              • Instruction ID: d3798c0c27a5042cb1f74afd6fe27e710da480ac5c1b9c9ae8b3230b27d528fc
                                                                                                                              • Opcode Fuzzy Hash: e957eb0e9faafbc3dd76a2b2e4476f04c3aaef48110a6490bcb1df53a0262b1e
                                                                                                                              • Instruction Fuzzy Hash: 6BF0A0357007149FD710EB6AE884A6FB7E9EBC9271B00092DE10AD7340DF70AC5587A0
                                                                                                                              Function 0321E7A8 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 53f2238b559d56b5b13452e6e3891ee72f529a79d80cc4df6e9ae6c931aca319
                                                                                                                              • Instruction ID: 54b90d20d3667c1ebdd8eb92e4caeb7e49568867a07b4d5b0c57fbde28453b99
                                                                                                                              • Opcode Fuzzy Hash: 53f2238b559d56b5b13452e6e3891ee72f529a79d80cc4df6e9ae6c931aca319
                                                                                                                              • Instruction Fuzzy Hash: FBE0F131F243981ACF10436C9C85ACEBFD4EFC6130F0401FDCA067B502C1E004258381
                                                                                                                              Function 032190E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 300e1bd79b703a09f83982829cc1a769a03a7f4f346190f81fd79b527d4dada9
                                                                                                                              • Instruction ID: 2846c9488ef1c9891b72e8deb3b729a01a14082c409d868601a5aec9ed5f1e4d
                                                                                                                              • Opcode Fuzzy Hash: 300e1bd79b703a09f83982829cc1a769a03a7f4f346190f81fd79b527d4dada9
                                                                                                                              • Instruction Fuzzy Hash: 05F02739A006045BE701EB69C0143EB77D6EBC1728F1081AECA094B384DE3A7802C7E1
                                                                                                                              Function 0321767F Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 41982b8c296027ed3914eb523dfeb3f7d3ae60cb88ba2d8a5ff3b8116e1a8e3b
                                                                                                                              • Instruction ID: 3bfa258a2040bc40a6497616f0db7a81eeaf963f20c3f155385bd5d878cd2fce
                                                                                                                              • Opcode Fuzzy Hash: 41982b8c296027ed3914eb523dfeb3f7d3ae60cb88ba2d8a5ff3b8116e1a8e3b
                                                                                                                              • Instruction Fuzzy Hash: 07F0E5393106098FCB00DBADDE405DAB7E6EFCC251B1941A4E509CB329DF34CC524BA0
                                                                                                                              Function 0321DC88 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b3d111173f583de9b1a90925245597d42dfd58da607c66e6dc941ecee32c2ce
                                                                                                                              • Instruction ID: b3ae018e43e504acfceaa5b7747a8625d65cf14f246f732084025a6ffd7c265c
                                                                                                                              • Opcode Fuzzy Hash: 2b3d111173f583de9b1a90925245597d42dfd58da607c66e6dc941ecee32c2ce
                                                                                                                              • Instruction Fuzzy Hash: ADF0E53624ABA05FC313D32DA9108AE7FA5DEC226130845DED159CF252CA90C80587F2
                                                                                                                              Function 0321DE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 83d838219bc5963cf769a24528abbb07b705ba3dbcda473ceed5160f526fe267
                                                                                                                              • Instruction ID: 92717dd58cce9ce73425ceef3e8edb79d738ffbc35229a9229d8816ecd9582f1
                                                                                                                              • Opcode Fuzzy Hash: 83d838219bc5963cf769a24528abbb07b705ba3dbcda473ceed5160f526fe267
                                                                                                                              • Instruction Fuzzy Hash: E5E0E5353501118F8610DB1DD498C26BBFAEFDE66671A10AAF649CB335DA61EC11CBD0
                                                                                                                              Function 03219542 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5bb7c3df8cc544bcd0b1fb99ee052cbff57b6400ddf7e06ffcb42962c5108e53
                                                                                                                              • Instruction ID: 878358099ff856babea971515444bb53bba218a5b78d9c0b7e1237305afc470c
                                                                                                                              • Opcode Fuzzy Hash: 5bb7c3df8cc544bcd0b1fb99ee052cbff57b6400ddf7e06ffcb42962c5108e53
                                                                                                                              • Instruction Fuzzy Hash: 22E0681131A3D50BCB27D3B819901BAAFC64DC206130C01FEC604DF103DD808C4183E2
                                                                                                                              Function 0321E92E Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 577b3c936dc11b5cf4352d64afde5681272281da9b940823780a36dc67e86bc6
                                                                                                                              • Instruction ID: e1340255ca2c3902e17ff005a88224a5fad099e052dfec72373f108da98bb80f
                                                                                                                              • Opcode Fuzzy Hash: 577b3c936dc11b5cf4352d64afde5681272281da9b940823780a36dc67e86bc6
                                                                                                                              • Instruction Fuzzy Hash: D8F06D39A12218EFCB00CF98E985D9DFBB2FB48711B16859AE905A7351CB31AD12CB40
                                                                                                                              Function 0321896A Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: da4d5789e0d277b5509a1235b5e2e6059c9b1ccfa656ca4eed6167f514ddf8c7
                                                                                                                              • Instruction ID: 3b002f7a1779714106fd3e110c3b0412aced3418743640167a7d653545f89f8c
                                                                                                                              • Opcode Fuzzy Hash: da4d5789e0d277b5509a1235b5e2e6059c9b1ccfa656ca4eed6167f514ddf8c7
                                                                                                                              • Instruction Fuzzy Hash: 86F0A7353097A44BCB0A577494185DD3FA1DFC2254F04419FD505CB283CE6419458396
                                                                                                                              Function 0321DCD9 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e96accbcc328aedb303a81f0485d4a4526c7e4b59d599a863fe822c31c50f57e
                                                                                                                              • Instruction ID: f3b54a4f6b3a8c25a3a13383f4527e8e4d2456319f79dc7f431fe4d326fc1043
                                                                                                                              • Opcode Fuzzy Hash: e96accbcc328aedb303a81f0485d4a4526c7e4b59d599a863fe822c31c50f57e
                                                                                                                              • Instruction Fuzzy Hash: 0CE02B35724450A7CB18C65CE8004F9BFB5DFC9321F0481BFD50AA7604CA71595686E0
                                                                                                                              Function 0321AF88 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bf310f5e8ce39d3d9c5f7c13f7fc04dba0a53c3c9477fb12a92291f9e97fcb2e
                                                                                                                              • Instruction ID: 1eaa15a92505193419960f93f18515b46892599f312adc629906088d1ef2f4c8
                                                                                                                              • Opcode Fuzzy Hash: bf310f5e8ce39d3d9c5f7c13f7fc04dba0a53c3c9477fb12a92291f9e97fcb2e
                                                                                                                              • Instruction Fuzzy Hash: 22E0D81532E7D5078B26C23D64604A6AFF28DD312030D81FEE085CF257D85288868351
                                                                                                                              Function 03219168 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 11d5ee9ed030ebac9e519498e0cfa89650557d3b11c5a80cff3874a0200f2c1c
                                                                                                                              • Instruction ID: e091ee7328b77708d73e65ed46ef571ea8b7c858ba8aa646111a9550c7220587
                                                                                                                              • Opcode Fuzzy Hash: 11d5ee9ed030ebac9e519498e0cfa89650557d3b11c5a80cff3874a0200f2c1c
                                                                                                                              • Instruction Fuzzy Hash: C2F06D709013144FD360DF78D49C3DABBE9EB44310F0044ADD64EC7380DB39A8818B91
                                                                                                                              Function 03218978 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ec8c3639180440e5930af0eb36e00b45dad8ac4434d12306f77812b5cbd41e7a
                                                                                                                              • Instruction ID: 9b7ffc785b9296380dc270db56544eac67c743c1c354b9d974ff575b030677d4
                                                                                                                              • Opcode Fuzzy Hash: ec8c3639180440e5930af0eb36e00b45dad8ac4434d12306f77812b5cbd41e7a
                                                                                                                              • Instruction Fuzzy Hash: C6E0263930532847CB097774A40C2EE7A96EBC5724F04406ED60A87381CFB9680283DA
                                                                                                                              Function 03219550 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c4d66bad1a3ef94cb88a4f389eb1884f327b997ffa0752a6501e7aa837453e0c
                                                                                                                              • Instruction ID: 6a6c07a56b7e329b010dfeff31ace04003a07f4c28f81cf17fbbafa081dc1e29
                                                                                                                              • Opcode Fuzzy Hash: c4d66bad1a3ef94cb88a4f389eb1884f327b997ffa0752a6501e7aa837453e0c
                                                                                                                              • Instruction Fuzzy Hash: F0D09712361266230978F2FE0AD02BBE0CF8FD00A1308007ACB08CB300EE80CCA103F0
                                                                                                                              Function 0321DC98 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d30e3788e235611b9f779c6da2c88c927553e79556e1bb33db6f884e2bdeb67d
                                                                                                                              • Instruction ID: 3a30d1e5898734c68a712d269d63cd5b5abebc9bd02664d1acfeec28edc2648e
                                                                                                                              • Opcode Fuzzy Hash: d30e3788e235611b9f779c6da2c88c927553e79556e1bb33db6f884e2bdeb67d
                                                                                                                              • Instruction Fuzzy Hash: 23E0C2367417284B8212E72EAA108AFB7DADFC467134484AEE129CB340DFA0DC4687D5
                                                                                                                              Function 0321DCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction ID: ec0b24e1ce3eaa3c2f21a1f3d9f887f04774edf24f513464066e81b6e8701aef
                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction Fuzzy Hash: D9E08631B20014E78B08DA59D4104EDFBAADBCC221F04807AD90AA7340DA72595686E1
                                                                                                                              Function 03218739 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e22e6e452c1d0772e897a00961837dfbc505130bf9a26772418a449defb80bd8
                                                                                                                              • Instruction ID: 42fe0980cb1fa5474715f16c5a88bdd73646b38ac66b5626919cbfed6a1d7598
                                                                                                                              • Opcode Fuzzy Hash: e22e6e452c1d0772e897a00961837dfbc505130bf9a26772418a449defb80bd8
                                                                                                                              • Instruction Fuzzy Hash: B1E04F3581525DCBCB09ABA4D85A4ED7F70EE15302B40009CEA5A52191DAB02A86CBC1
                                                                                                                              Function 03218800 Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 244265dff9d6b344117639cf4b9465d447ba1dd3e524cbaa7c0ad39f057afcf3
                                                                                                                              • Instruction ID: b3240804f2d71071f2cdb637001c108e5ebd82e087d748ee4830a8f738dded0c
                                                                                                                              • Opcode Fuzzy Hash: 244265dff9d6b344117639cf4b9465d447ba1dd3e524cbaa7c0ad39f057afcf3
                                                                                                                              • Instruction Fuzzy Hash: 53E0DF3491838A8BCB04DBA8D8468AEBFB0FF06351B00429EE94997302D6311982CFC1
                                                                                                                              Function 0321F460 Relevance: .0, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f41dae86a13b8424aa342f73d4bf6d5f0dc07fee0241b5c3c54651edacf25b1f
                                                                                                                              • Instruction ID: 49b3119481705813011d3fe02a7ad5e3ead0b42b84e03a9cde80dcea30b45d88
                                                                                                                              • Opcode Fuzzy Hash: f41dae86a13b8424aa342f73d4bf6d5f0dc07fee0241b5c3c54651edacf25b1f
                                                                                                                              • Instruction Fuzzy Hash: AFE01A70D5410A9F8780EFA889815A9FBF0EB58200F6085AA8919D3312E3328A56CFC1
                                                                                                                              Function 0321F470 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction ID: c74bf451f0fdc9f5bcea24d2560361e7f76a76239702031731870e5d005b4663
                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction Fuzzy Hash: 79D067B0D14209AF8780EFADC94156EFBF4EB58200F6085AA8919E7301F7729A52CBD1
                                                                                                                              Function 03218748 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 18b2dc4acef7432a9d080ade2d95de04e3d9305e8f8f986ce726859cdd7c4779
                                                                                                                              • Instruction ID: d34c968dc9d73322a38e573d2c928a96638d424aefdee700f426a8ceb5f41b57
                                                                                                                              • Opcode Fuzzy Hash: 18b2dc4acef7432a9d080ade2d95de04e3d9305e8f8f986ce726859cdd7c4779
                                                                                                                              • Instruction Fuzzy Hash: 73D0673581521DCBCB08EBA4E85A4FDBB74FB14301F4041ADE91752191EA712A5BCAC5
                                                                                                                              Function 03218810 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 668e1d0a33159981f5599756ab9fce9e5b3409789b167ac3a059f872a786510c
                                                                                                                              • Instruction ID: 9459032d694d34f8c21949cf0a556bace1533e6656bae1c080ff1e69067d6b0b
                                                                                                                              • Opcode Fuzzy Hash: 668e1d0a33159981f5599756ab9fce9e5b3409789b167ac3a059f872a786510c
                                                                                                                              • Instruction Fuzzy Hash: C3D01234A1430E9BC704DFA4D44646DBBB4E744301F004159D94593340EA706951CBC1
                                                                                                                              Function 0321EA57 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d5719d1dad3de63fe0fc21aeec832ae4b5d1d8dc1b6d8d31c84cee85fd4cfd63
                                                                                                                              • Instruction ID: 1f534d4964aff9c82816358d8d44e9e310448c97495ebf0363be10a0dccac1e7
                                                                                                                              • Opcode Fuzzy Hash: d5719d1dad3de63fe0fc21aeec832ae4b5d1d8dc1b6d8d31c84cee85fd4cfd63
                                                                                                                              • Instruction Fuzzy Hash: A6D09239B41218CFDB14CB98E895ADDF3B1FF84326F1180A9E91A97251CB32A952CB40
                                                                                                                              Function 03217E90 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 23447bad35ecc69d438f58facff39533af2f61bd9333861526dfebc4aff27b99
                                                                                                                              • Instruction ID: dee628161282185fd1f3be59d83384f54272507c828a642eaf9e629b57e309f3
                                                                                                                              • Opcode Fuzzy Hash: 23447bad35ecc69d438f58facff39533af2f61bd9333861526dfebc4aff27b99
                                                                                                                              • Instruction Fuzzy Hash: B7C0025955E7E01EEF0383358D997167FB15F4361AF0A41C9D181CF8A7C6A9880AC792
                                                                                                                              Function 03217920 Relevance: .0, Instructions: 9COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 38ea37309b50639bb65664f5ade92164b02c170a326fec6b6aa2632fbae87d88
                                                                                                                              • Instruction ID: b9d0c9f07647d55d13922e78cf438ccd60ebbc9171814ce3db120c387eec6a43
                                                                                                                              • Opcode Fuzzy Hash: 38ea37309b50639bb65664f5ade92164b02c170a326fec6b6aa2632fbae87d88
                                                                                                                              • Instruction Fuzzy Hash: CEC0123150D3828BE31A6B30D494804BF50AB06214B0208CDE06A1A2E2CABAA48DCB02
                                                                                                                              Function 03217928 Relevance: .0, Instructions: 8COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cf29506568f77dd767d63dc82301e6dfa807fb6dd27063027bdaa17fdce149cc
                                                                                                                              • Instruction ID: ed796b5d183bc9da80a609e48e252cb0b074f3069b6ccc60a1d5bf76e82ee667
                                                                                                                              • Opcode Fuzzy Hash: cf29506568f77dd767d63dc82301e6dfa807fb6dd27063027bdaa17fdce149cc
                                                                                                                              • Instruction Fuzzy Hash: 1EB092310487098FC24A7F75E448814B329BB4021938008ACE90F1A2928E76E899CA45

                                                                                                                              Non-executed Functions

                                                                                                                              Function 07781BE0 Relevance: 20.4, Strings: 16, Instructions: 418COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $c%k$4'^q$4'^q$4'^q$4'^q$840l$840l$tP^q$tP^q$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-1201355405
                                                                                                                              • Opcode ID: ea71262d65ef729cd57cd0286a5ce32247b97d0d7ac5853611739b0bc22abbbf
                                                                                                                              • Instruction ID: d6b3be4a99958ff2efcf36932d4293ca9ad3d2a1691b2487567000872ca872b0
                                                                                                                              • Opcode Fuzzy Hash: ea71262d65ef729cd57cd0286a5ce32247b97d0d7ac5853611739b0bc22abbbf
                                                                                                                              • Instruction Fuzzy Hash: AED18CB1B843498FC755AB68D4047A6BFF1AFC6251F1488AFC515CF252DB31C886C7A2
                                                                                                                              Function 07783678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-1209065596
                                                                                                                              • Opcode ID: 572c0ff7dda68bf18fc60756947a281b2ae778469a7e284935cca2db6b954cfe
                                                                                                                              • Instruction ID: b914df8ddee871319c00f855b86396964e92a92c578ea12f1f34f9cefeff8814
                                                                                                                              • Opcode Fuzzy Hash: 572c0ff7dda68bf18fc60756947a281b2ae778469a7e284935cca2db6b954cfe
                                                                                                                              • Instruction Fuzzy Hash: 62516BF57843468FCB646A2DC80066EBBA1AFC2A91F24887BD445CB352DA35C845C7A1
                                                                                                                              Function 0321EBB8 Relevance: 8.9, Strings: 7, Instructions: 180COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-13851718
                                                                                                                              • Opcode ID: 449aac9d62299ce29f2e14de94df07671a432a609518a02fe8f4b0cd79150641
                                                                                                                              • Instruction ID: 3c1a66f4c2743b3362fcc0cb0c8c8dd9e89ce0c1ee22168193a1aeb86054be32
                                                                                                                              • Opcode Fuzzy Hash: 449aac9d62299ce29f2e14de94df07671a432a609518a02fe8f4b0cd79150641
                                                                                                                              • Instruction Fuzzy Hash: 9751BF307A44198FCB28EB788E5482C3BDBAF99B5431604EAD816CF3B5DE55CCD28752
                                                                                                                              Function 07782109 Relevance: 8.9, Strings: 7, Instructions: 103COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Tc%k$$^q$$^q$J3l$J3l$J3l$J3l
                                                                                                                              • API String ID: 0-3089719575
                                                                                                                              • Opcode ID: 3514b06e1623b04c13f208468c2a20a0b394d25d10ff506412ebd299cdf7876d
                                                                                                                              • Instruction ID: a18c698f09c4d92f6bae5e5e1069e6820868292b5bc050c76fe245306d86dceb
                                                                                                                              • Opcode Fuzzy Hash: 3514b06e1623b04c13f208468c2a20a0b394d25d10ff506412ebd299cdf7876d
                                                                                                                              • Instruction Fuzzy Hash: 453145B6E883854FC36667289C00193BFA17BD26517294DABC250CF67BC9358C84C3A2
                                                                                                                              Function 03217A09 Relevance: 6.5, Strings: 5, Instructions: 240COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: 6a5a5af12c5a26daf8be87cbc3e77b028787f5d938ee1a246be947d4ce746eff
                                                                                                                              • Instruction ID: 8485b5028aa25b67bbd5c57df86d1a8880fbf7a4fde380774013b3e1c9e90330
                                                                                                                              • Opcode Fuzzy Hash: 6a5a5af12c5a26daf8be87cbc3e77b028787f5d938ee1a246be947d4ce746eff
                                                                                                                              • Instruction Fuzzy Hash: FCB1B274E0120A9FCB55DFA9D990A9DFBF2FF88300F148629D819AB354DB30A955CF90
                                                                                                                              Function 03217A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: 19dd7413ec2f23c6cca1db73f502bed84f133d2f6cad38a77361b1ae632f4cf4
                                                                                                                              • Instruction ID: c1b50b58d28d84d9bece77e2e554ac210b7ae1b2214ac65a8a8d42928d965fcf
                                                                                                                              • Opcode Fuzzy Hash: 19dd7413ec2f23c6cca1db73f502bed84f133d2f6cad38a77361b1ae632f4cf4
                                                                                                                              • Instruction Fuzzy Hash: 70B1A474E012099FCB55DFA9D990A9DFBF2FF88300F108629D819AB354DB30A955CF90
                                                                                                                              Function 0321EDE8 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `Q^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2499013975
                                                                                                                              • Opcode ID: a3772e309ab2d1c38a54d3d09f4cf6a1d6656560a211fb6224fcd8c0311d20c6
                                                                                                                              • Instruction ID: 0618dcc67568bac3534f013292e7645b19d3284fc45b187224dbb1401a5a4b99
                                                                                                                              • Opcode Fuzzy Hash: a3772e309ab2d1c38a54d3d09f4cf6a1d6656560a211fb6224fcd8c0311d20c6
                                                                                                                              • Instruction Fuzzy Hash: C0E139347601118FDB14DB788B1463EB6D7AFD9B10B2944AAD806DF3B4EE75CC828792
                                                                                                                              Function 032171F8 Relevance: 5.2, Strings: 4, Instructions: 204COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1774402419.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_3210000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-3297199963
                                                                                                                              • Opcode ID: 266d19f7ac360177ab58b24c9ee1300b4d97b3b825eaab72809b8351de4015ae
                                                                                                                              • Instruction ID: ebb134ea024a88a513209d3285fdfb0d5080ed9ccaff2782e44757594f405eb9
                                                                                                                              • Opcode Fuzzy Hash: 266d19f7ac360177ab58b24c9ee1300b4d97b3b825eaab72809b8351de4015ae
                                                                                                                              • Instruction Fuzzy Hash: ED91A274E0120A9FDB55DFA9D590A9DFBF2FF88300F10866AE419AB314D730A955CF90
                                                                                                                              Function 07785798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2125118731
                                                                                                                              • Opcode ID: 4057e0a7b15733c1af5b4faf64486aa5cf467d7ffc30b9b5880b53efdadfa90f
                                                                                                                              • Instruction ID: 74d96bbe9a792e6a90586565a713de3cb26b043f8126fd6a26576f796741fec0
                                                                                                                              • Opcode Fuzzy Hash: 4057e0a7b15733c1af5b4faf64486aa5cf467d7ffc30b9b5880b53efdadfa90f
                                                                                                                              • Instruction Fuzzy Hash: C7216BB174020A9BDBA4692AC804B27BBDA6BC0791F24883BE905CF385DD75D8518361
                                                                                                                              Function 07780309 Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1794209962.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7780000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                              • API String ID: 0-2049395529
                                                                                                                              • Opcode ID: 1112f72abc3ddb3f83135b63168e5fc10e559540825b375fbe3406e214bcd400
                                                                                                                              • Instruction ID: f8db53d932b434ce75515b771e37efd6e2b2b63272db05de19d66ae4e46e69eb
                                                                                                                              • Opcode Fuzzy Hash: 1112f72abc3ddb3f83135b63168e5fc10e559540825b375fbe3406e214bcd400
                                                                                                                              • Instruction Fuzzy Hash: 7201B56174E3994FC32B6668A8201A57FB25FC355071A85DFC041CF697CD194C4DC3A3

                                                                                                                              Executed Functions

                                                                                                                              Function 0457B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: {YTn^$YTn^
                                                                                                                              • API String ID: 0-3324586244
                                                                                                                              • Opcode ID: 5279f42e37f0db966d13a50a57e5554c42557cbd0a08fbf17158ae90c5e25268
                                                                                                                              • Instruction ID: 3e5a568dc31594364f4d64048a59d7680255b5d3286f6a06306c3c7ce9e4e253
                                                                                                                              • Opcode Fuzzy Hash: 5279f42e37f0db966d13a50a57e5554c42557cbd0a08fbf17158ae90c5e25268
                                                                                                                              • Instruction Fuzzy Hash: 3B918371B006145BEF19EFB5C4145AEBAE3EFC4604B00892DD00AAB354DF74BD0A8BD6
                                                                                                                              Function 07432308 Relevance: 13.1, Strings: 10, Instructions: 646COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$J3l$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-2616406786
                                                                                                                              • Opcode ID: ae667b9bcf3c20cedaf1595c6faeff3bf7526f80f4240297fd261196c29d69e6
                                                                                                                              • Instruction ID: 8dadca5dccdd8fdaa5555753e861ffb17a5084e58a22f31d69ca83e4a3572898
                                                                                                                              • Opcode Fuzzy Hash: ae667b9bcf3c20cedaf1595c6faeff3bf7526f80f4240297fd261196c29d69e6
                                                                                                                              • Instruction Fuzzy Hash: AA2235B5B0020ADFDB149F6898006EBBBE1BF8D211F14847BE909CB351DBB5D945CBA1
                                                                                                                              Function 07433CE8 Relevance: 5.6, Strings: 4, Instructions: 596COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                              • API String ID: 0-1420252700
                                                                                                                              • Opcode ID: 90bfda2b954c2aa41b02e1ae68a77399b01012ef2f6d270173b5ba5df6ab3876
                                                                                                                              • Instruction ID: 4406840513e90a370a817d4f434b4135ca19fdeecdf23ab2f79e2bb2dd2553ee
                                                                                                                              • Opcode Fuzzy Hash: 90bfda2b954c2aa41b02e1ae68a77399b01012ef2f6d270173b5ba5df6ab3876
                                                                                                                              • Instruction Fuzzy Hash: BE1247B1B043558FCB158A6C98056FBBBA2AF89310F1484ABD549CF391DB35C886CBA1
                                                                                                                              Function 04576FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (bq
                                                                                                                              • API String ID: 0-149360118
                                                                                                                              • Opcode ID: fa82440c68f5da1fd7db93a463605bb6f55545bc0006d7c326787ff279b31c75
                                                                                                                              • Instruction ID: ad71f604c659f4db64ff0e53562704cdde66e92c10d63bb727c0e0915bd0eba4
                                                                                                                              • Opcode Fuzzy Hash: fa82440c68f5da1fd7db93a463605bb6f55545bc0006d7c326787ff279b31c75
                                                                                                                              • Instruction Fuzzy Hash: 32414934B002048FDB059FA9E458AAABBF1EB8D311F1484A9E402AB395DB35ED01DF61
                                                                                                                              Function 0457AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (&^q
                                                                                                                              • API String ID: 0-2067289071
                                                                                                                              • Opcode ID: a54b357fbbe5c43b20930b698e5468bda868f51ecc92328ece05ac61e02306d6
                                                                                                                              • Instruction ID: e94c617abd1fd50f4801d580a26c8e1dff9f9e3f2befa52286e32de5ed2d30dc
                                                                                                                              • Opcode Fuzzy Hash: a54b357fbbe5c43b20930b698e5468bda868f51ecc92328ece05ac61e02306d6
                                                                                                                              • Instruction Fuzzy Hash: E021AE71A042588FCB14DFAEE404AAEBFF5EB88320F14846ED419E7350CA75A905CFA5
                                                                                                                              Function 045729F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f4506dbf0cea8c5a13b620e964fa28c0b8914d31e0a0684c33d845e645dfabdf
                                                                                                                              • Instruction ID: 0aa7c43c88c144ac05c2caf571f210e58345f56b57dbf2b6c4d8a8885de7739c
                                                                                                                              • Opcode Fuzzy Hash: f4506dbf0cea8c5a13b620e964fa28c0b8914d31e0a0684c33d845e645dfabdf
                                                                                                                              • Instruction Fuzzy Hash: 509159B4A002059FCB15CF59D4989AAFBB1FF48310F2485A9E815AB365C735FC51CBA0
                                                                                                                              Function 04577740 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b9fcc65a9e6852c5d860107663d16f2131d8c79be2e99229897251f32b5c0d2
                                                                                                                              • Instruction ID: 8ef3880e90ec557c41ffbfc402bb70a2b78193fbcf037a12e9a7effaec8616c4
                                                                                                                              • Opcode Fuzzy Hash: 9b9fcc65a9e6852c5d860107663d16f2131d8c79be2e99229897251f32b5c0d2
                                                                                                                              • Instruction Fuzzy Hash: 3F51A0343042119FD7149B69F844A2A7BEAFFC9215B1488BAE509CB352EB35FC01DBA0
                                                                                                                              Function 0457BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b617e62ecd010e588b970196c702059c101d4d5d90ee89ffd1eb7914b5bd3fb8
                                                                                                                              • Instruction ID: ae96cd9158d78ff8e866e9b740ff148c34b477d3606d4b55910d4f0fcb61e5e0
                                                                                                                              • Opcode Fuzzy Hash: b617e62ecd010e588b970196c702059c101d4d5d90ee89ffd1eb7914b5bd3fb8
                                                                                                                              • Instruction Fuzzy Hash: F2611671E002499FDB14CFA9D584A9DBFF5FF88314F14816AE819AB264EB34AD41CB60
                                                                                                                              Function 0457BAB0 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2e86b058d49a837b4ea87be74ded9ed2ffb60d6f5a820a279ba987a5da88fb08
                                                                                                                              • Instruction ID: 6548cd376acde7b397703521877ec80e586e36c8973902bb21125a9a105ecc5e
                                                                                                                              • Opcode Fuzzy Hash: 2e86b058d49a837b4ea87be74ded9ed2ffb60d6f5a820a279ba987a5da88fb08
                                                                                                                              • Instruction Fuzzy Hash: 33513771E01249DFDB14CFA9D584A8DBFF5FF88314F14806AE819AB364EB34A945CB50
                                                                                                                              Function 07433CCC Relevance: .1, Instructions: 126COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ffc7424b5c8f4ba871418f841bdfcbff9a927ae5ed781498b87f30102f947e36
                                                                                                                              • Instruction ID: 582d732dd5ba9340c6cdcdcad0ca75e2317ebede6c4e3c2b66e423ff47359123
                                                                                                                              • Opcode Fuzzy Hash: ffc7424b5c8f4ba871418f841bdfcbff9a927ae5ed781498b87f30102f947e36
                                                                                                                              • Instruction Fuzzy Hash: D24106F1A04202DFCB258F24C542AEBBBB2AF89250F148597D918DF351D739DD45CBA1
                                                                                                                              Function 04572B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b9b33dbdbdd2b89e3331fdcbc956ca48477e494b2fdeb4d4923a4bd058408277
                                                                                                                              • Instruction ID: 7b87f33bbcd693c0ab405b959cdc0e84bd97d4cfb20de6d2132d1e5608bab90e
                                                                                                                              • Opcode Fuzzy Hash: b9b33dbdbdd2b89e3331fdcbc956ca48477e494b2fdeb4d4923a4bd058408277
                                                                                                                              • Instruction Fuzzy Hash: 804159B4A005059FCB05CF59D5989AAFBB1FF48310F2185A9E815AB364C736FC51DFA0
                                                                                                                              Function 04576FB0 Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 463fcade5c55b010e119edc14a5b929e7c4c9d3183bbd4ce988296b3b9afbe9b
                                                                                                                              • Instruction ID: 992e500e211a730d16f78adde03cb68155d301cf2a4a6621d0a4c8523aa94cb8
                                                                                                                              • Opcode Fuzzy Hash: 463fcade5c55b010e119edc14a5b929e7c4c9d3183bbd4ce988296b3b9afbe9b
                                                                                                                              • Instruction Fuzzy Hash: 6B314F34A042458FCB15CFA8E458AA9BFF1BF8E310F1984A9D445AB366CB35EC01DF61
                                                                                                                              Function 0457C388 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: df1093fd9c05f7d94b5906d185c5f9440247cf39759d7d919ac407b9c9d7ac9e
                                                                                                                              • Instruction ID: 2d3f8d403ae9f739dc788df0a3a13d9e7ad5c2b5fd09c76242b5888deb7b568f
                                                                                                                              • Opcode Fuzzy Hash: df1093fd9c05f7d94b5906d185c5f9440247cf39759d7d919ac407b9c9d7ac9e
                                                                                                                              • Instruction Fuzzy Hash: 4431AB313012019FD715DB69E840A9EBBA2EFC8215F00823DD50ACB365DF75A845CBA1
                                                                                                                              Function 0457AE60 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c5527d0b2ba65e8fda005707e31746368de994df2f451e15367f08454175b3ec
                                                                                                                              • Instruction ID: dc1b0ab7e01c96ca5cc98d51cca0ea24aece34c614068aec37f18e3e28b1fcd1
                                                                                                                              • Opcode Fuzzy Hash: c5527d0b2ba65e8fda005707e31746368de994df2f451e15367f08454175b3ec
                                                                                                                              • Instruction Fuzzy Hash: 13316974A002098FDB04DFA9E494AAEBBF6FFC8310F148079E405EB365EA349C418F65
                                                                                                                              Function 0457AE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ff4b72fe8d9b1a2a4f3a22104723816b624fcef2b688b0aac85f715caf1dc3c8
                                                                                                                              • Instruction ID: d4b1be72e244918ae9798724f15779df8f1fd6f5b9dc3dd3a2f8c274dfa90dba
                                                                                                                              • Opcode Fuzzy Hash: ff4b72fe8d9b1a2a4f3a22104723816b624fcef2b688b0aac85f715caf1dc3c8
                                                                                                                              • Instruction Fuzzy Hash: AD314974A006098FEB04DFA9E4947AEBBF6FFC8310F148039E405EB354EA349C419BA5
                                                                                                                              Function 0457AD28 Relevance: .1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 62a1d9c1664407f28b65118720ae2ff3ab699ea68ddb899926a3c3d31fe71e11
                                                                                                                              • Instruction ID: eff4de09c42609703bc4908a410ec9f4d71152308b5744402d678f3d37c5a5aa
                                                                                                                              • Opcode Fuzzy Hash: 62a1d9c1664407f28b65118720ae2ff3ab699ea68ddb899926a3c3d31fe71e11
                                                                                                                              • Instruction Fuzzy Hash: FD31A1B4E002059FEB00EFA4D855BAEBBB2EF84304F11846DD505AB3A6DA38AD01CF51
                                                                                                                              Function 0457AD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9690c5f495e4b03891c3cc1e917864eb8992e9e131989b434c76e36bdd854ef3
                                                                                                                              • Instruction ID: 784d81e889661ca33279d79beebc19b2e4c49040bc4dfe67dec74e6269bf03de
                                                                                                                              • Opcode Fuzzy Hash: 9690c5f495e4b03891c3cc1e917864eb8992e9e131989b434c76e36bdd854ef3
                                                                                                                              • Instruction Fuzzy Hash: AE3152B4E002099FFB04EFA5D455AAEBBF2EF84304F118479D515AB3A5DA35AD018F90
                                                                                                                              Function 0441F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d89713abe272c0573f606911b0ab0a24a75d684dedaf62dddeef5efe4b4f2768
                                                                                                                              • Instruction ID: 1b7077a590df7dc41b3ffe382ec015c7406c29e6351629ebfd7cd28d34854408
                                                                                                                              • Opcode Fuzzy Hash: d89713abe272c0573f606911b0ab0a24a75d684dedaf62dddeef5efe4b4f2768
                                                                                                                              • Instruction Fuzzy Hash: 4921E271600200EFCF05DF54D9C1B26BB65FB98314F24C5AAE9094A366C736E45BCBA1
                                                                                                                              Function 07432700 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3d6d869cd94fb882dcb1b6a145858f36925b77f4981b75b581275475828f139e
                                                                                                                              • Instruction ID: 58f28778f2a7cddec7bc41ac5b99f4df0bae8a6df40ec9a449c0c04458feabf5
                                                                                                                              • Opcode Fuzzy Hash: 3d6d869cd94fb882dcb1b6a145858f36925b77f4981b75b581275475828f139e
                                                                                                                              • Instruction Fuzzy Hash: 5E21AEB9A00216DFDB248F59C545BEAB7F4BB49322F04C16BE90C9B350C7B5D944CBA1
                                                                                                                              Function 045793F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4da21df5b3a3caf859bdf253f314243c3148febe9bfcdc5807f0bf815c5ab0d4
                                                                                                                              • Instruction ID: dd2e879f6c808972440c0e2bdaf207be9fd359509d02a940d3aee598b298b12d
                                                                                                                              • Opcode Fuzzy Hash: 4da21df5b3a3caf859bdf253f314243c3148febe9bfcdc5807f0bf815c5ab0d4
                                                                                                                              • Instruction Fuzzy Hash: 3A319CB19057448EEB60CF6AE4887CAFFF2FF89320F28C42ED84D97215D674A4419B61
                                                                                                                              Function 0441F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9028ed65d52f11fa4e68be254d4f4e3350505d897e49e68334b7e36f9998985e
                                                                                                                              • Instruction ID: 28b98d1315ef951a1aced940c750dd80387ec6a91454c57b1402190d040eeb2a
                                                                                                                              • Opcode Fuzzy Hash: 9028ed65d52f11fa4e68be254d4f4e3350505d897e49e68334b7e36f9998985e
                                                                                                                              • Instruction Fuzzy Hash: 9F210775604240DFCF14DF14D9C4B16BFA5EB84314F24C56EDA0A4B366C336E44BCA61
                                                                                                                              Function 04579400 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 514f1fac6f422940387fcda08cf3d3146a0b0e0ed2132a8d4ab0c4c2c67f773c
                                                                                                                              • Instruction ID: c1f85679e75e353b91575d7fcf5d74a4b7eb73965a8287c3714628a184ddb491
                                                                                                                              • Opcode Fuzzy Hash: 514f1fac6f422940387fcda08cf3d3146a0b0e0ed2132a8d4ab0c4c2c67f773c
                                                                                                                              • Instruction Fuzzy Hash: 4D216BB1A017448EEB60CF6AE48878AFBF6FF89310F28C42ED84D97255D67464818F61
                                                                                                                              Function 0457767C Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 54a145c4e4e6b113015dd4f9767aa2ea9832ed53bc8e9399ef24c3849f4899d9
                                                                                                                              • Instruction ID: 3bcfba49f3997792e818ab39de57b1bad6e064f375df194e3e579108bf328f7e
                                                                                                                              • Opcode Fuzzy Hash: 54a145c4e4e6b113015dd4f9767aa2ea9832ed53bc8e9399ef24c3849f4899d9
                                                                                                                              • Instruction Fuzzy Hash: 43111C397001188FCF04EBACE94099D77F6FBCC226B0440A9E909EB729DA35EC11CB90
                                                                                                                              Function 0441F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction ID: 8ac376688a6b625e899788f07063970fa6e56fdb85c049a7f3e3a9b71d48bd64
                                                                                                                              • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction Fuzzy Hash: 0C219D76504240DFCF06CF50D9C4B16BF72FB98314F28C5AAD9494A766C33AD46ACB91
                                                                                                                              Function 0441F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction ID: 1277108ab1822d0224d6b2cc408668b26cc77f47e61856da5604e35df9454813
                                                                                                                              • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction Fuzzy Hash: E1119D75504280DFDB15CF14D5C4B16BFA1FB84328F28C6AAD9494B766C33AE44ACB61
                                                                                                                              Function 0457C343 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7d592ea445f9f8bc44bf5f0756d7b2ba1f390e683af374fa2ff6f3bca294f323
                                                                                                                              • Instruction ID: bb2a781dff2cbf0b30fe884d82e859d4f57bc04f89b63f29cf0b2c1fa23551c7
                                                                                                                              • Opcode Fuzzy Hash: 7d592ea445f9f8bc44bf5f0756d7b2ba1f390e683af374fa2ff6f3bca294f323
                                                                                                                              • Instruction Fuzzy Hash: 2E012D6120E3D01FD7139B396864A967FB09F87214F0A80EBC4C5CB2A3D8558849C766
                                                                                                                              Function 0457BCE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cd35bb11a017ced7b58a79274aaee05b972d073f678de97985d4c999eea88474
                                                                                                                              • Instruction ID: 2aab56174deb9f8ab9a2cd17f771c715816a4d67a368b17bfb4f4e315747ac31
                                                                                                                              • Opcode Fuzzy Hash: cd35bb11a017ced7b58a79274aaee05b972d073f678de97985d4c999eea88474
                                                                                                                              • Instruction Fuzzy Hash: 9201DE316083449FD724CB7AE594A5A7FE4EF46210F1888EEE49ACB6A2DA61F845C701
                                                                                                                              Function 0457DC98 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5f542fcdcaeb25cff10b3bb7e375290d4eabbd7a70b3557e06626b3bcda1fe3d
                                                                                                                              • Instruction ID: 0ac4d2bed49acf0386fe6a6e1d8b44bce4c2806f21b910a93d588e92d08c861f
                                                                                                                              • Opcode Fuzzy Hash: 5f542fcdcaeb25cff10b3bb7e375290d4eabbd7a70b3557e06626b3bcda1fe3d
                                                                                                                              • Instruction Fuzzy Hash: F6110534204750CFC728DF75D08186ABBF6EF8931976489ADD08A8B7A0DB36F946CB50
                                                                                                                              Function 0457DF20 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ad1787c2916af3f2fa1f20325cdfd0f4051ce2d2b544456735192a3b90237ab3
                                                                                                                              • Instruction ID: 80183f50311fe761431290fef4c529bbfeac21bad7b9af5c7d3c2e27384fbcca
                                                                                                                              • Opcode Fuzzy Hash: ad1787c2916af3f2fa1f20325cdfd0f4051ce2d2b544456735192a3b90237ab3
                                                                                                                              • Instruction Fuzzy Hash: 2D018C35B002149FCB11DF79EC08AAEBBF6FB88215B10406DE51AD3242DB36A901CF90
                                                                                                                              Function 0441D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: be7e38d0ac50dcdfb4bfbd97a5b129aa204cea020c3c69b2b9617b492e3f68b3
                                                                                                                              • Instruction ID: 375874e80e86dea021b1daed13bec41035081ec644b461812c1ed3c941c7293d
                                                                                                                              • Opcode Fuzzy Hash: be7e38d0ac50dcdfb4bfbd97a5b129aa204cea020c3c69b2b9617b492e3f68b3
                                                                                                                              • Instruction Fuzzy Hash: A80152B140E3C05ED7124B259894752BFB4EF43224F1DC1DBD9888F2A3C2695849C772
                                                                                                                              Function 0441D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f36af598e4ea49e77e2801e0858551199bc7b0967bc637357841ad65e518127d
                                                                                                                              • Instruction ID: 11164922cea37284bf1bc2d199b811419ece10dda557499c7a831955b6fc6bac
                                                                                                                              • Opcode Fuzzy Hash: f36af598e4ea49e77e2801e0858551199bc7b0967bc637357841ad65e518127d
                                                                                                                              • Instruction Fuzzy Hash: E801F7F1909304AAEB204E29DD84767BFD8EF41328F08C52BED480B256C279B846C6B1
                                                                                                                              Function 0457BF10 Relevance: .0, Instructions: 42COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 147c9011134de14c1b77acc1cfa8c2c01489b4e9fde82e631df74ba3bc4220af
                                                                                                                              • Instruction ID: b0f5f788977b4c58d418a8179bb41574e276c502c8a6fd321283c703aaa608cb
                                                                                                                              • Opcode Fuzzy Hash: 147c9011134de14c1b77acc1cfa8c2c01489b4e9fde82e631df74ba3bc4220af
                                                                                                                              • Instruction Fuzzy Hash: DBF0C2757092A01FD7108A7A9C84ABBBFEDEBC5620B0445BFF885C7392CA70C8049B60
                                                                                                                              Function 045790CF Relevance: .0, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1cbbc4808682f51ff1b219478572b7b33f3ecaec6b0229986287c05deb9b5861
                                                                                                                              • Instruction ID: c3ed28751fef148091b4292df1438c837be83a7b4ac5c381fb7597f209593c71
                                                                                                                              • Opcode Fuzzy Hash: 1cbbc4808682f51ff1b219478572b7b33f3ecaec6b0229986287c05deb9b5861
                                                                                                                              • Instruction Fuzzy Hash: B50149716083445FE701AB74C4197AB7BB6DFC2219F1140AFD80947292DD392906C7E1
                                                                                                                              Function 04577958 Relevance: .0, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8c8341fde071b83b181c886b3c5ba017cefd6fb241354abac1cb61e06fdf6968
                                                                                                                              • Instruction ID: fd801954d97feecec15caa042d1ef431ad0fd401dccbc42a4bea2dd3783f9bb1
                                                                                                                              • Opcode Fuzzy Hash: 8c8341fde071b83b181c886b3c5ba017cefd6fb241354abac1cb61e06fdf6968
                                                                                                                              • Instruction Fuzzy Hash: 2CF0C23120A3845FD7129769A844D6FBFE9EF8926170405AED049CB262DE64AC49C761
                                                                                                                              Function 0441D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f904317ce29f954f03820c6ed98ab542c5e670f098ebe5735db0d7fefb0ad9bb
                                                                                                                              • Instruction ID: f819f0e79f05ed2f91d2116a9b24d06fb2e414fe51dd4c2a2247866dc26478a8
                                                                                                                              • Opcode Fuzzy Hash: f904317ce29f954f03820c6ed98ab542c5e670f098ebe5735db0d7fefb0ad9bb
                                                                                                                              • Instruction Fuzzy Hash: 5EF0F9B6600604AF9760CF0AD985C23FBADEBD4770719C55AE94A4B711C671FC42CEA0
                                                                                                                              Function 0457C4C0 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cf799439310407d40572d2a7f7adcc0b3486f41123a4e988ca355c1df3f65bd0
                                                                                                                              • Instruction ID: f3f6515920528520fd2ed7be233152830e69dc81ba1c222f165c4f3d8fe8f54e
                                                                                                                              • Opcode Fuzzy Hash: cf799439310407d40572d2a7f7adcc0b3486f41123a4e988ca355c1df3f65bd0
                                                                                                                              • Instruction Fuzzy Hash: 15F02B711001006FE7109B39D54496EBFD6EFC1319B048A7EC5498B735CE31EC49C7A0
                                                                                                                              Function 0457CB52 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2266618e63a9cb94a32b9f16299d1194960dd5370b61bc652e0f09734be811b4
                                                                                                                              • Instruction ID: 398d5ad9b02cad3133846d30f0d5ea0f3ccaad06caf95095539e28210df72f53
                                                                                                                              • Opcode Fuzzy Hash: 2266618e63a9cb94a32b9f16299d1194960dd5370b61bc652e0f09734be811b4
                                                                                                                              • Instruction Fuzzy Hash: D1F055312052001FC719AB3E9CC06AEAFE6DFC11707658ABEC09AC7665CE289C0B8730
                                                                                                                              Function 0457DEC1 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 214c26a724dd0a92aaa06e212dc7c34a7636f343310ecf019ebd7028e68eb3cd
                                                                                                                              • Instruction ID: b26a5e7f83c12e61b7cb5ab9404cee76af31fc781c0b2c2a624ab8d6458b6dd0
                                                                                                                              • Opcode Fuzzy Hash: 214c26a724dd0a92aaa06e212dc7c34a7636f343310ecf019ebd7028e68eb3cd
                                                                                                                              • Instruction Fuzzy Hash: 32F0A0357101018FC7108F2CE488D6ABBF6EFCA31172940AAE485DB371CA60DC018B40
                                                                                                                              Function 0441D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1820893367.000000000441D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0441D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_441d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 44c8ae4fdbe8103a9d8d52953e49388fde383c99731be5c6250e653705195e29
                                                                                                                              • Instruction ID: 2227c181557100dc074349a00c1d78c54949985e3bdb2f33900176f0eecd66a6
                                                                                                                              • Opcode Fuzzy Hash: 44c8ae4fdbe8103a9d8d52953e49388fde383c99731be5c6250e653705195e29
                                                                                                                              • Instruction Fuzzy Hash: 1AF0FFB5500640AFD765CF06C985D23BBB9EB85660B198599E84A5B352C631FC42CF60
                                                                                                                              Function 04577968 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d4041d364de95846128f94aaca6999a700658a05eac2b2587fd254219d50ecd8
                                                                                                                              • Instruction ID: ac61ea19525be748209e738f3a2454f222bd8ec878af8a8ca78020d70860e22d
                                                                                                                              • Opcode Fuzzy Hash: d4041d364de95846128f94aaca6999a700658a05eac2b2587fd254219d50ecd8
                                                                                                                              • Instruction Fuzzy Hash: A3F08C717006189FDB509B6AE844A6FBBEAEB88665B00052DE10AC3350EF74AD4587A0
                                                                                                                              Function 0457C4D0 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0f0a338e39a2650575fc5a77ad0e48b864d3f381c7e22f2d78b5ad0c4661439d
                                                                                                                              • Instruction ID: a99376da52130ca6e7b5d4f3a3e0620609138b615815c48e89e7e394a250ad16
                                                                                                                              • Opcode Fuzzy Hash: 0f0a338e39a2650575fc5a77ad0e48b864d3f381c7e22f2d78b5ad0c4661439d
                                                                                                                              • Instruction Fuzzy Hash: 70F082712002045FE704AB6AE94495ABB96EFC16697008A7ED50D8B725DE31BC4587A4
                                                                                                                              Function 04577697 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7bce0bb765084c7aa46c9859dfce6fd5e9b5b423472690a6b0e5f81e8248e2e8
                                                                                                                              • Instruction ID: 344baa41fa0cc2f8faa696a53480c12d3cd13a28960146fa6fb70193c9bb4601
                                                                                                                              • Opcode Fuzzy Hash: 7bce0bb765084c7aa46c9859dfce6fd5e9b5b423472690a6b0e5f81e8248e2e8
                                                                                                                              • Instruction Fuzzy Hash: A0F0A7393001048FCF00EB6DF940A9977A6FBCC35570541A9E809CB328DF34EC018B90
                                                                                                                              Function 045790E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4512855bf83d83f041ce17106a15afc577b9fad69833acbb68cb38627add965e
                                                                                                                              • Instruction ID: 48bb0e9f8ca8149b2b8903bc2115143c68b2d3264567f083dedbc560698aab60
                                                                                                                              • Opcode Fuzzy Hash: 4512855bf83d83f041ce17106a15afc577b9fad69833acbb68cb38627add965e
                                                                                                                              • Instruction Fuzzy Hash: 15F0E2716002044BE710AFA5D0183ABB7A6DBC4329F10812ED90947385CE792806CBE1
                                                                                                                              Function 0457DED0 Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fc3ec18d6f511d69a3278232082b16d33a13241c36bf3788db3f13f7df6d6829
                                                                                                                              • Instruction ID: c06f7f18c237ce16666e1bbdd31a6f409f67023046e1ce67b0074a584ff5a47f
                                                                                                                              • Opcode Fuzzy Hash: fc3ec18d6f511d69a3278232082b16d33a13241c36bf3788db3f13f7df6d6829
                                                                                                                              • Instruction Fuzzy Hash: A1E01A353102118F87109F1DE498C66BBFAEFCE72532940AAF949DB375DA71EC019B90
                                                                                                                              Function 04579158 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d54d7405586ce1daf533cfceb37392563e7d7d374620848d3dea19ec3457f90c
                                                                                                                              • Instruction ID: 6e1347a42a61265752b6a540eee2a8f02bf32f093062880adae6d92572c03fb8
                                                                                                                              • Opcode Fuzzy Hash: d54d7405586ce1daf533cfceb37392563e7d7d374620848d3dea19ec3457f90c
                                                                                                                              • Instruction Fuzzy Hash: C4F08CB09043004FEB60DFB8E89C39ABFE1FB40310F10486ED58EC7682CB78A8818B50
                                                                                                                              Function 0457DD0F Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3fc94718f92eabf833c055263ff3ea3f562c9415c0d2085b4083d7ef932c015f
                                                                                                                              • Instruction ID: e4a749e14fd1885466a346af407c9c555b5cec0b8b08dc33a3197bcc9cb38507
                                                                                                                              • Opcode Fuzzy Hash: 3fc94718f92eabf833c055263ff3ea3f562c9415c0d2085b4083d7ef932c015f
                                                                                                                              • Instruction Fuzzy Hash: FAE0D8356415101BCB125A2EB804ADF6BEAEFC5232710857DE45AD7741DE54D80A4B90
                                                                                                                              Function 04579542 Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: aa0b48b5e444105e310971420dc0a9f1a9045ee544d791e73b54ca135cadad90
                                                                                                                              • Instruction ID: f5160d4f0e75419dcbba38e1126e7a3bc68164bdf2611eeb8c7a9ffe9f0cb3f0
                                                                                                                              • Opcode Fuzzy Hash: aa0b48b5e444105e310971420dc0a9f1a9045ee544d791e73b54ca135cadad90
                                                                                                                              • Instruction Fuzzy Hash: FBE026223021620BAB5470B978042ABADCE9FC209BB0C407ADA04C7281EC00E80163F1
                                                                                                                              Function 0457DD60 Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3ae2fb986cea1c7a5963741e770620268150aee422f15ee6f3d069ea9c3e9c86
                                                                                                                              • Instruction ID: 0144d023e9464ce654c31cf9d77bb19a73f43ca7b8ab3491dba43fe25fda2231
                                                                                                                              • Opcode Fuzzy Hash: 3ae2fb986cea1c7a5963741e770620268150aee422f15ee6f3d069ea9c3e9c86
                                                                                                                              • Instruction Fuzzy Hash: 7EE02231B000409BCB0A86A8E4808ECBFB1EFC8320F14887ECC06E7310CA32A80AD751
                                                                                                                              Function 0457896A Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: effa5b86b58be45a42d274d228b96db0935ad3595b8e479ed6c096b9e8b7e349
                                                                                                                              • Instruction ID: cdc7dd21f4640473a078f6feae5f80698862de02dbf052fd1471e4c5a9c5abb2
                                                                                                                              • Opcode Fuzzy Hash: effa5b86b58be45a42d274d228b96db0935ad3595b8e479ed6c096b9e8b7e349
                                                                                                                              • Instruction Fuzzy Hash: 38E022713082104FDB09ABB5A81C39D3AA6EBD0729F01402EDA0983282CF28180283E9
                                                                                                                              Function 0457CB68 Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1f147e0c32a373408e33b000bd4d6894b676360ceb312eb36fc3310ed34c97c0
                                                                                                                              • Instruction ID: 93953140cb5b8c3b17e2447620bdc19866d48869b7115eda4af7cee9d8ca445c
                                                                                                                              • Opcode Fuzzy Hash: 1f147e0c32a373408e33b000bd4d6894b676360ceb312eb36fc3310ed34c97c0
                                                                                                                              • Instruction Fuzzy Hash: 95E0DF312002001B9218AB6FEC8096EBBCBDEC4170394893EC51E87728DE30AD4653A4
                                                                                                                              Function 0457F460 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3dabccae60a8c9e5d19ac6c953ec7a2b92545ec5f805f6a9f1aad26a6335ad47
                                                                                                                              • Instruction ID: 79a0de9522f05b2f009f21c2bc8a88b8a47d1e8f6cc061d5aa6ee7271a10edb0
                                                                                                                              • Opcode Fuzzy Hash: 3dabccae60a8c9e5d19ac6c953ec7a2b92545ec5f805f6a9f1aad26a6335ad47
                                                                                                                              • Instruction Fuzzy Hash: B5E06D7090424D9F8740DFB8D8816AEFFF0AF49210B5081AEC948D7201E6315641CBD1
                                                                                                                              Function 04579168 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a572ca82e011055f2a675bc10c87f94e4aab190b9bc7d66957a9931337faa577
                                                                                                                              • Instruction ID: 8be0d81b50ca613d4b968ebd6e6e503b7a10201facdb1f9673b6aeb11c702223
                                                                                                                              • Opcode Fuzzy Hash: a572ca82e011055f2a675bc10c87f94e4aab190b9bc7d66957a9931337faa577
                                                                                                                              • Instruction Fuzzy Hash: 9AF06D709003044FE760DFB9E89C39ABBE5FB44310F00442ED54EC3341DB3968818B90
                                                                                                                              Function 04578978 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: deb9fc4c19f26a12edef5b0b64133dd3ee77599954375255ef1a2c03c0cfc450
                                                                                                                              • Instruction ID: 1764c20361c570f5b54402b21cac9dfdcad6f702a05e9ea1e19e29d1f50241a7
                                                                                                                              • Opcode Fuzzy Hash: deb9fc4c19f26a12edef5b0b64133dd3ee77599954375255ef1a2c03c0cfc450
                                                                                                                              • Instruction Fuzzy Hash: 48E086357046155FDB097FB6A81C2AE7A96EBD4729F04002EDE1A83382CF7D590287E9
                                                                                                                              Function 04579550 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 75682b20fc5c4de39dd0bdd59e21b2013767eec196800bbae7805cc34549d89c
                                                                                                                              • Instruction ID: 70726a74b17dc642f366a38ec2bac92274cf70b14243a8a00e5936d84786d6df
                                                                                                                              • Opcode Fuzzy Hash: 75682b20fc5c4de39dd0bdd59e21b2013767eec196800bbae7805cc34549d89c
                                                                                                                              • Instruction Fuzzy Hash: A7D05E227021221B265870BA78446BBA9CF9FC54AB7090036AA09C7241FD50EC0163F1
                                                                                                                              Function 0457DD70 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction ID: 289fca1a15c51542353af9ddcdd58926ec22a2cd348a19ecbd88680eb11770ea
                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction Fuzzy Hash: 09E08632B00014978B089599E4504D9F7B5EFCC220F04847EDD0AA7340DA32691A9691
                                                                                                                              Function 0457DD20 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 27fb8c5fe9f3416553c8f2117aa10abf7e51fbc689d9aef5c85e03078d55380a
                                                                                                                              • Instruction ID: 3b2aab1e3f62123ac1b7985a08e8621727ffbc851b8670f03bfbace8548d304e
                                                                                                                              • Opcode Fuzzy Hash: 27fb8c5fe9f3416553c8f2117aa10abf7e51fbc689d9aef5c85e03078d55380a
                                                                                                                              • Instruction Fuzzy Hash: 65E0C2313416145B8611AB2FB81095FBBEAEFC8671350843EE42AC7345DE64ED0A47E5
                                                                                                                              Function 0457AF88 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 84184eacb7d3c134f3139e4d365c8428d8af8ceb71cea1202d9fc091a4cc3e4d
                                                                                                                              • Instruction ID: 8c3147b9752ea018bc065157eb1965224cf5b63ebb656c692357defc55a28d31
                                                                                                                              • Opcode Fuzzy Hash: 84184eacb7d3c134f3139e4d365c8428d8af8ceb71cea1202d9fc091a4cc3e4d
                                                                                                                              • Instruction Fuzzy Hash: 7BD02B2671D1D11BAF57803D74205BE4FE3CBC622070AC079E084C7341CC418C0643D0
                                                                                                                              Function 0457C580 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 49ebf6393bfdaf5a903623c100e384b93e50f5bac6f6db20ba970d2f024cabac
                                                                                                                              • Instruction ID: 6037bb4b1319f46ffd9def7f4f31e830cd9d3794be87ee5cbdd17ac0904cc505
                                                                                                                              • Opcode Fuzzy Hash: 49ebf6393bfdaf5a903623c100e384b93e50f5bac6f6db20ba970d2f024cabac
                                                                                                                              • Instruction Fuzzy Hash: 0CE0C2313052502BC391ABAEAC14469BFE9EFD666230401BFE519C7382DD2AAC0983E5
                                                                                                                              Function 04578739 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1083c0d310bd41ba4a820f88bd87678b912a504a027d0802ef51bde9293330e4
                                                                                                                              • Instruction ID: 095166daa39efa4432947c55694a7d69b8383a7dbec4bf6adf480c2e89299b5a
                                                                                                                              • Opcode Fuzzy Hash: 1083c0d310bd41ba4a820f88bd87678b912a504a027d0802ef51bde9293330e4
                                                                                                                              • Instruction Fuzzy Hash: 93E04F30915149EBCB09EF64E88D8EDBF70FA01311B00069DD52792951DB35460ACE81
                                                                                                                              Function 04578800 Relevance: .0, Instructions: 19COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ccc318208e0ab1af312bc7524eb67ba4e22a4f2fa782ad6a764bf5a47013b8cc
                                                                                                                              • Instruction ID: af23f4c75fe184eff5f6010c5d40e59b9f48d083e60c4a4e87bc1c431b539543
                                                                                                                              • Opcode Fuzzy Hash: ccc318208e0ab1af312bc7524eb67ba4e22a4f2fa782ad6a764bf5a47013b8cc
                                                                                                                              • Instruction Fuzzy Hash: BFE08674E18349DFC714EFA4D95986ABFB0EB05300F0085BCDE4987753EA30A811EB81
                                                                                                                              Function 0457C590 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9c07b4057c900dacf818e608768fcb01e0c2f59e7cf1b61a996ae7926e21c381
                                                                                                                              • Instruction ID: cf8a85b98ad7248a9b8392ec325723259b038a826bb1c470f1210c0d94b7b381
                                                                                                                              • Opcode Fuzzy Hash: 9c07b4057c900dacf818e608768fcb01e0c2f59e7cf1b61a996ae7926e21c381
                                                                                                                              • Instruction Fuzzy Hash: 84D0A7353000102B4254AB5EF80446D7BDEDFC9972300013FE61DC3341DE27AC0583E4
                                                                                                                              Function 0457F470 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction ID: 30934367451badf1250e60b9d299a2d16ff403bd6fa908be00034a1dbad3c46f
                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction Fuzzy Hash: 8FD067B1D042099F8780EFADD94156EFBF4EB48200F6085BAC919E7301F7329A12DBD1
                                                                                                                              Function 04578748 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 68a47435361c55685c8f2aec82eb04f57d5d0bcaa38b0fa041fa829183c2b4df
                                                                                                                              • Instruction ID: 06a60b4e35d9a692ccb5fba60d7bc866aaa7adf105f6f16c1fc24a6acb5a3156
                                                                                                                              • Opcode Fuzzy Hash: 68a47435361c55685c8f2aec82eb04f57d5d0bcaa38b0fa041fa829183c2b4df
                                                                                                                              • Instruction Fuzzy Hash: 88D06731904109DBCB08FFA5E85A4BDBB74FA14301F40416DD91792591EF352A5ACAC5
                                                                                                                              Function 04578810 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 93313db63ff6555b1c7622f9dec08fe7d785012d6e91cbe910d9b2d39a88dd2a
                                                                                                                              • Instruction ID: f3719360205116a9d0970fda9331de3474a8acb7265cdba192df8ae1fcbe2eb9
                                                                                                                              • Opcode Fuzzy Hash: 93313db63ff6555b1c7622f9dec08fe7d785012d6e91cbe910d9b2d39a88dd2a
                                                                                                                              • Instruction Fuzzy Hash: CBD01734E0820A9F8B08EFA4E84A86EBBB4EB44200F008169EE0993751EA306C01DBC1
                                                                                                                              Function 04577EA0 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 05e04da28513ed97f408a9906706cb82cd8de4c0732aa0382829b531dd581950
                                                                                                                              • Instruction ID: 5a308e2dcf8e57103e7554460a0b3180ffc6bbe6e2dbe81db3374f66ea34d678
                                                                                                                              • Opcode Fuzzy Hash: 05e04da28513ed97f408a9906706cb82cd8de4c0732aa0382829b531dd581950
                                                                                                                              • Instruction Fuzzy Hash: 1CC04C1444F7D01EDF57833558995017FB15D4355970A41CAC0C1EE867C5698849CB53
                                                                                                                              Function 04577938 Relevance: .0, Instructions: 10COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 56fde50f52fa28e4f615c8a83e9c1ede92994baaab107881c21bbdf45b1a2c43
                                                                                                                              • Instruction ID: 7ebe562e24b2488c1e71c86d17b63166388d0326c60831b64d03f114857bb801
                                                                                                                              • Opcode Fuzzy Hash: 56fde50f52fa28e4f615c8a83e9c1ede92994baaab107881c21bbdf45b1a2c43
                                                                                                                              • Instruction Fuzzy Hash: F0C012340483898ACB669B3AE0588983F20AA0212830209DCE80A1B2A3DA22C44ADF06
                                                                                                                              Function 04577940 Relevance: .0, Instructions: 8COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cd8d7fc7b3c029efd83e7c16953d86ae0fafe112744207dd310a7c8364257f92
                                                                                                                              • Instruction ID: c2a150c6d5c20091049337403203748b820fb27a77ce38c68c360bd25af6f2c6
                                                                                                                              • Opcode Fuzzy Hash: cd8d7fc7b3c029efd83e7c16953d86ae0fafe112744207dd310a7c8364257f92
                                                                                                                              • Instruction Fuzzy Hash: 21B0923104470DCFC289AF76E408814732DBB4121938108E8E90E0A2929E36E889CA49

                                                                                                                              Non-executed Functions

                                                                                                                              Function 07431BE0 Relevance: 20.4, Strings: 16, Instructions: 419COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $c%k$4'^q$4'^q$4'^q$4'^q$840l$840l$tP^q$tP^q$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-1201355405
                                                                                                                              • Opcode ID: ba4553e1a7d1ae4a135734d7347b89b8ceb2215ba7cb296303f20c29c426e770
                                                                                                                              • Instruction ID: 6f949ffa2123cf42b92ef1d8bac0bd24bdb00555e013e064fa8e56b067b4826c
                                                                                                                              • Opcode Fuzzy Hash: ba4553e1a7d1ae4a135734d7347b89b8ceb2215ba7cb296303f20c29c426e770
                                                                                                                              • Instruction Fuzzy Hash: 90D16CB5B0474ACFC7158B6894046E7BFB2AF8A210F1884ABD55DCF351DB32D886C7A1
                                                                                                                              Function 07433928 Relevance: 12.8, Strings: 10, Instructions: 329COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-2446002323
                                                                                                                              • Opcode ID: 315d9fdc3aef8a71627734decd4df13b40d04764cd930ad560cbb255965271ca
                                                                                                                              • Instruction ID: 59942cdf195d665377c9354001bf125e39c0ed638d80deb78590174709c02934
                                                                                                                              • Opcode Fuzzy Hash: 315d9fdc3aef8a71627734decd4df13b40d04764cd930ad560cbb255965271ca
                                                                                                                              • Instruction Fuzzy Hash: 54A179B67043458FCB149E6998057B7BBE5AFCA620F1484ABE44DCF392CA31CC46C761
                                                                                                                              Function 07430FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: fcq$840l$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-1015688067
                                                                                                                              • Opcode ID: 7e45b4dc9a02f61d16c212c487c249792be10acab51ba009403d276313af4b12
                                                                                                                              • Instruction ID: 0f50b9d7bb50b2a4b6047a20ac5853c58242d6597c2d4c9e5ecab509a82ef115
                                                                                                                              • Opcode Fuzzy Hash: 7e45b4dc9a02f61d16c212c487c249792be10acab51ba009403d276313af4b12
                                                                                                                              • Instruction Fuzzy Hash: 646189B0A14A0EDFEF248E44C544BEAB7B2BB4D341F148467E819AB390C775DD85CBA1
                                                                                                                              Function 07433678 Relevance: 8.9, Strings: 7, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-1209065596
                                                                                                                              • Opcode ID: fc0c8d7acec7b0b196c2000611add0d71be1dd5fde38cc0d971b8815f6223e5c
                                                                                                                              • Instruction ID: fbbbd4f2e5fe281d4ae835696a642bef6b0d231a5f4a3aec2f1d888d29db74fb
                                                                                                                              • Opcode Fuzzy Hash: fc0c8d7acec7b0b196c2000611add0d71be1dd5fde38cc0d971b8815f6223e5c
                                                                                                                              • Instruction Fuzzy Hash: CC5139F570434A9FCB285E6988006EBBBE6AFCA621F24C46BD449CB351DB35C846C791
                                                                                                                              Function 04577A21 Relevance: 6.5, Strings: 5, Instructions: 240COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: b6bb00d7107879b0c04d4ab65782318a360edca4bc9f211d32625c239a83487f
                                                                                                                              • Instruction ID: 534b42771e8864ac9f1c6c2cecdcec28d128d33685db7812d0936976705d0468
                                                                                                                              • Opcode Fuzzy Hash: b6bb00d7107879b0c04d4ab65782318a360edca4bc9f211d32625c239a83487f
                                                                                                                              • Instruction Fuzzy Hash: 97B1C774E012099FDB54DFA9E980A9DFBF2FF48304F10862AD819AB315DB74A945CF90
                                                                                                                              Function 04577A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1821427064.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_4570000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: c91db7b284dca3a40ed649180c9f953cad48fd20c359fd51716a70bf0339d7a3
                                                                                                                              • Instruction ID: 8917ed666973477949939d9e9e1258b973d2f9645454497a2f595ac4829ebffe
                                                                                                                              • Opcode Fuzzy Hash: c91db7b284dca3a40ed649180c9f953cad48fd20c359fd51716a70bf0339d7a3
                                                                                                                              • Instruction Fuzzy Hash: 88B1A774E012099FDB54DFA9E980A9DFBF2FF48304F10862AD819AB315DB74A945CF90
                                                                                                                              Function 07432190 Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Tc%k$$^q$J3l$J3l$J3l
                                                                                                                              • API String ID: 0-100712670
                                                                                                                              • Opcode ID: 942dae132e7e4b9b38f10d4a32d61eb84087fc92e9b3a607104b031f895d5c02
                                                                                                                              • Instruction ID: d63dca65eebfd12f36873689327201cbad362b4b2c0c617fb4a89a67a7eaf623
                                                                                                                              • Opcode Fuzzy Hash: 942dae132e7e4b9b38f10d4a32d61eb84087fc92e9b3a607104b031f895d5c02
                                                                                                                              • Instruction Fuzzy Hash: 14113DF66083928FCB2247285E010E7BFB1BBD66107144467C6489F765C6B588C6C763
                                                                                                                              Function 07435798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2125118731
                                                                                                                              • Opcode ID: 7a3398dae47305b93e505fdf9a3abdb8614360bbfc411ed5767a89589d5a4e8f
                                                                                                                              • Instruction ID: 71e54e42fbbf5a42966e6186326973724203094e458ac6fdac8b6c377edb7d23
                                                                                                                              • Opcode Fuzzy Hash: 7a3398dae47305b93e505fdf9a3abdb8614360bbfc411ed5767a89589d5a4e8f
                                                                                                                              • Instruction Fuzzy Hash: 26216BB171020A9BDB38193A8800BA7F7DA5BC9711F24883BA90DCF385DE75C8618361
                                                                                                                              Function 07432108 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000008.00000002.1850338667.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_8_2_7430000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$J3l$J3l
                                                                                                                              • API String ID: 0-168449240
                                                                                                                              • Opcode ID: be713a42018c7de2022573126f476308ac396e94366c7372758266af6cffc403
                                                                                                                              • Instruction ID: b2307708bb8c6be2b77c12d7578bbac4f550659edf8b582f2292beb9a51d51b6
                                                                                                                              • Opcode Fuzzy Hash: be713a42018c7de2022573126f476308ac396e94366c7372758266af6cffc403
                                                                                                                              • Instruction Fuzzy Hash: 1101B176A093D14FC733022C1D10093BFB66E975207294597C298DF37AC9698C89C3A2

                                                                                                                              Executed Functions

                                                                                                                              Function 04EDB470 Relevance: .3, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 04ce03c18afe827c1ce6201a78ab87fb47aeccfee19f09d726fb2fc1141bc5f0
                                                                                                                              • Instruction ID: 2e00c2b436f8c351c77aa402a76108cc83cf49d18a76345eb94460acf6903d6b
                                                                                                                              • Opcode Fuzzy Hash: 04ce03c18afe827c1ce6201a78ab87fb47aeccfee19f09d726fb2fc1141bc5f0
                                                                                                                              • Instruction Fuzzy Hash: B7919275A007159FDB1AEBB4C4155AEB7F2EFC4604B00892DD14AAF350DF74A90B8BC6
                                                                                                                              Function 04EDB490 Relevance: .3, Instructions: 252COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 326acbd33da655b9ec0d88d93918af8d9ed74471a5bb335f05479986d6e70d8c
                                                                                                                              • Instruction ID: 42330a6b13de01562ac3aa9faebabc257b6ddfc730ed856b9f79c3101bcb9d09
                                                                                                                              • Opcode Fuzzy Hash: 326acbd33da655b9ec0d88d93918af8d9ed74471a5bb335f05479986d6e70d8c
                                                                                                                              • Instruction Fuzzy Hash: 6A918375B007159BEB19EBB4C4055AEB7F2EFC4604B00892DD14AAF350DF74A90B8BD6
                                                                                                                              Function 07BC2308 Relevance: 14.4, Strings: 11, Instructions: 631COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$_$J3l$J3l$J3l$J3l$J3l$J3l$r2l$r2l
                                                                                                                              • API String ID: 0-1694288855
                                                                                                                              • Opcode ID: e2fa335ee84d028c28a1d1c754e7c93ef990835735c555ad6736dc33ebac15d0
                                                                                                                              • Instruction ID: 5a4e1e2c8e93e2348222017c0d1a46db6bdef98aa224118c84696e341b35be5b
                                                                                                                              • Opcode Fuzzy Hash: e2fa335ee84d028c28a1d1c754e7c93ef990835735c555ad6736dc33ebac15d0
                                                                                                                              • Instruction Fuzzy Hash: 1422F5F5B0020ADFEB14DB6895416EABBE2FF89211F04C0BEE905CB251DA35D945CBA1
                                                                                                                              Function 07BC3CE8 Relevance: 5.6, Strings: 4, Instructions: 564COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                              • API String ID: 0-1420252700
                                                                                                                              • Opcode ID: 3932996fd883a6ef70e17086b5519738907cd674f20b1b033d9b9f2d544a0afb
                                                                                                                              • Instruction ID: 734282ccd3378a9d0d8e9a1413d5dd7b0a812b2d4d96b001ae80c3e403aee441
                                                                                                                              • Opcode Fuzzy Hash: 3932996fd883a6ef70e17086b5519738907cd674f20b1b033d9b9f2d544a0afb
                                                                                                                              • Instruction Fuzzy Hash: C60244F1B002568FEB15DA68981176ABFE2EFC1310F14C4BED9458B351DB36C985CBA2
                                                                                                                              Function 04ED6FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (bq
                                                                                                                              • API String ID: 0-149360118
                                                                                                                              • Opcode ID: d8f1a6d331fe3076ce10142d4fb0b752e907fdc07ba260a19a9af83f90f7c499
                                                                                                                              • Instruction ID: 9006dbe7dc5ef3767bc275b8234d14b9877b7876bacd0b19bb6a3d20e7386ec6
                                                                                                                              • Opcode Fuzzy Hash: d8f1a6d331fe3076ce10142d4fb0b752e907fdc07ba260a19a9af83f90f7c499
                                                                                                                              • Instruction Fuzzy Hash: 38412F34B042058FDB19DFA4C554AAEBBF1EF8E315F145099E446AB3A5DB35EC02CB50
                                                                                                                              Function 04EDAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (&^q
                                                                                                                              • API String ID: 0-2067289071
                                                                                                                              • Opcode ID: 713941c9da407f31f226c4ec8cffefbddacebdd777a212c27232a37236e466bc
                                                                                                                              • Instruction ID: 3921e47a0d9791be3cf8d146977538876a61ed06e70eeea8572e47db8d642468
                                                                                                                              • Opcode Fuzzy Hash: 713941c9da407f31f226c4ec8cffefbddacebdd777a212c27232a37236e466bc
                                                                                                                              • Instruction Fuzzy Hash: 8421A175A042588FCB14DFAED40469EBFF5EB88320F14846AD418AB350DB75A905CBA5
                                                                                                                              Function 04ED29F0 Relevance: .2, Instructions: 209COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 49a94bff2c9890b9df0d89ae600379da005bab86071cf44d57f508c7e9df9cd3
                                                                                                                              • Instruction ID: 31c50e3a29346e7c332f716e7508c982fbd0554f76eb1c3cf89c48f43aa5a743
                                                                                                                              • Opcode Fuzzy Hash: 49a94bff2c9890b9df0d89ae600379da005bab86071cf44d57f508c7e9df9cd3
                                                                                                                              • Instruction Fuzzy Hash: AF918CB4A006058FCB15CF59C4949AEFBB1FF88310B248699E955AB365C736FC52CFA0
                                                                                                                              Function 04EDBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: eb7c4426f79971761c0c1a0bce37cac2ced2d1fe6ea1a022a3f1059ef067523c
                                                                                                                              • Instruction ID: 3ab058e92701252fb00f156f95c841d958a68e250f9b0c36e45a2e679e3f493b
                                                                                                                              • Opcode Fuzzy Hash: eb7c4426f79971761c0c1a0bce37cac2ced2d1fe6ea1a022a3f1059ef067523c
                                                                                                                              • Instruction Fuzzy Hash: FF611671E00209DFCB14DFA9D584A9DBBF1FF88314F15816AE819AB364EB34AD46CB50
                                                                                                                              Function 04EDBAB0 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fc26232f371555f5ed1d42de27357ababa9fb2e6529bd7658bd9360440e7537c
                                                                                                                              • Instruction ID: 7164d7907a4e5ab3c57124d85e63f97c22567b68d8bf138a167acd2d85e9d41c
                                                                                                                              • Opcode Fuzzy Hash: fc26232f371555f5ed1d42de27357ababa9fb2e6529bd7658bd9360440e7537c
                                                                                                                              • Instruction Fuzzy Hash: 7B513771E00249DFCB54DFA9D584A8DFBF1FF88314F15806AE819AB364EB34A846CB50
                                                                                                                              Function 07BC3CCD Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c29d2be5dcaebadc9c516797adfbedd4c9250b1441c2f0ecd395225c55c04138
                                                                                                                              • Instruction ID: 4acebb8f8a7b7d77ba80e34aede814762b43ca39dbf5cd7cb85327abfc8ec2a7
                                                                                                                              • Opcode Fuzzy Hash: c29d2be5dcaebadc9c516797adfbedd4c9250b1441c2f0ecd395225c55c04138
                                                                                                                              • Instruction Fuzzy Hash: 1D41C3F0A002069FEB25CA24C941AAABBF3EF84654B54C0EDD9048F355D739D945CBB6
                                                                                                                              Function 04ED2B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6f3f1eb51a85578a22d8311ace5887352be80a18f0281fd9499fe7419a656f43
                                                                                                                              • Instruction ID: 749596910ec1c75a6d5e0c969e848928a7e33f0dac3d905e27ac5dda47ab8713
                                                                                                                              • Opcode Fuzzy Hash: 6f3f1eb51a85578a22d8311ace5887352be80a18f0281fd9499fe7419a656f43
                                                                                                                              • Instruction Fuzzy Hash: EF4139B4A006059FCB09CF58C5989AEFBB1FF88314B158599D915AB364C736FC52CFA0
                                                                                                                              Function 04EDC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4de07b646e7460617de196dd1c81cf47cdca6524c0e925e2b1006d46074cf28e
                                                                                                                              • Instruction ID: b91a389e113291a60324e4da32a1a13f557e8a098e4e7e53c2921d3c432222b7
                                                                                                                              • Opcode Fuzzy Hash: 4de07b646e7460617de196dd1c81cf47cdca6524c0e925e2b1006d46074cf28e
                                                                                                                              • Instruction Fuzzy Hash: 04319C353002029FC705EB78E854BAAB7A6EFC4215F108139D60ACB365DF75A84ACBA1
                                                                                                                              Function 04ED7728 Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d71f26770eae30cde0260fa0925cbb1a3c8c7947f12458211a108cd32daf8825
                                                                                                                              • Instruction ID: 9455ecc10f11bacbca554363091ca5881031860908e05c66be48951a7a718c25
                                                                                                                              • Opcode Fuzzy Hash: d71f26770eae30cde0260fa0925cbb1a3c8c7947f12458211a108cd32daf8825
                                                                                                                              • Instruction Fuzzy Hash: 7E318B387042519FD714DB79C844A6AB7E6BFC8319F159879D80ACB391EB35EC02CBA0
                                                                                                                              Function 04ED6FC3 Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7adca2904f1911fc2b67fde23607890bb76a64b832513a4deb7c842da1edc541
                                                                                                                              • Instruction ID: f39f93441434635297736ac413902b2b98dc6775d1fb82ac2c58c204f567b071
                                                                                                                              • Opcode Fuzzy Hash: 7adca2904f1911fc2b67fde23607890bb76a64b832513a4deb7c842da1edc541
                                                                                                                              • Instruction Fuzzy Hash: 5B311E74B00105CFDB14CFA4C598AAEBBF1AF8D315F145059E846AB391DB31EC42DB50
                                                                                                                              Function 04EDAE60 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e5f47d72f0fc3a54d56495c0207b35d6f12a3a599bc64258ecc6289335344ee4
                                                                                                                              • Instruction ID: 450af29cd8a31aa4bd94687ddbc1dbad0a2439b5a215b34adf3c7d0978f219b2
                                                                                                                              • Opcode Fuzzy Hash: e5f47d72f0fc3a54d56495c0207b35d6f12a3a599bc64258ecc6289335344ee4
                                                                                                                              • Instruction Fuzzy Hash: A1315070A0020A9FDB08EFA9D4946AE7BF6EF88314F14907DE405EB354EB759D42CB51
                                                                                                                              Function 04EDAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 433c2d757e2640d9e7dd71f8c09edaf6d3e4a27709c4ae276c3a3f750eca3e58
                                                                                                                              • Instruction ID: 83fb2af053b538fc574350b63b7efca64b01f0abcb79eaf0b64c14b6d33146c2
                                                                                                                              • Opcode Fuzzy Hash: 433c2d757e2640d9e7dd71f8c09edaf6d3e4a27709c4ae276c3a3f750eca3e58
                                                                                                                              • Instruction Fuzzy Hash: 59316470A0020A8FDB08EFA9D4947AE7BF6EF88314F149079E405EB354EB349D428B51
                                                                                                                              Function 04EDAD28 Relevance: .1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a51e47efc0247bb12a15f6b10b8ff3ec7534fa02fffc091f21ac44da76900cc5
                                                                                                                              • Instruction ID: 880a2d570aaf18202735a27009003c62deaf8aa467b73a447f02a6ffc0efac60
                                                                                                                              • Opcode Fuzzy Hash: a51e47efc0247bb12a15f6b10b8ff3ec7534fa02fffc091f21ac44da76900cc5
                                                                                                                              • Instruction Fuzzy Hash: 5B3172B8A002059FDB04EBA4D858ABE77B2FFC4704F1584B8C515BF3A4DA799D428F51
                                                                                                                              Function 04EDAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d701cbbe5c6760ed948c7c5066416423870c181e21beac49d0a05e184c13bd37
                                                                                                                              • Instruction ID: 1bbc9582afd742337db8dbffd3e950676a37cbae8b16fbade52d176ee6902fde
                                                                                                                              • Opcode Fuzzy Hash: d701cbbe5c6760ed948c7c5066416423870c181e21beac49d0a05e184c13bd37
                                                                                                                              • Instruction Fuzzy Hash: AE3123B8A002059FDB04EFA4D855ABE77B2FFC4704F118469D515BB3A4DA35DD028F91
                                                                                                                              Function 0358F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a7b586247b1b83ad449f3f4dd96133b7d6dd73b134040b0e9dead4b4435f0a54
                                                                                                                              • Instruction ID: 43dcd0c304b54de87e97a228184816afaafd22e5c5350299feb9ad4cac32bfdf
                                                                                                                              • Opcode Fuzzy Hash: a7b586247b1b83ad449f3f4dd96133b7d6dd73b134040b0e9dead4b4435f0a54
                                                                                                                              • Instruction Fuzzy Hash: BE21F471608200EFDB05EF54F9C0B26BF65FB8C314F24C5AAE9095A276C73AD456CBA1
                                                                                                                              Function 04ED93F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4c975bfebfc21d2b6af66ab66ff6ecdd6089d5d242cdd2e43d40646fedc49751
                                                                                                                              • Instruction ID: 2df9a4a4631727e7ea4a815352420f7a82e5ba7a274c2ea5feea0050378090c0
                                                                                                                              • Opcode Fuzzy Hash: 4c975bfebfc21d2b6af66ab66ff6ecdd6089d5d242cdd2e43d40646fedc49751
                                                                                                                              • Instruction Fuzzy Hash: 7131BFB0A067448EDB60CF6AC4883CAFFF2EB88314F28C42DC44D9B216C6746446CB61
                                                                                                                              Function 0358F02C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9aa589c1039a51acabac04b1af5d41294d0debcd68f95881c3b0b9c713008ec1
                                                                                                                              • Instruction ID: 5ffb1f51dece7e1aed5dbec3de427372efc6f41454c966488c70b313a6d5eaed
                                                                                                                              • Opcode Fuzzy Hash: 9aa589c1039a51acabac04b1af5d41294d0debcd68f95881c3b0b9c713008ec1
                                                                                                                              • Instruction Fuzzy Hash: 8E213475604240DFCB10EF24F9C4B26BFA5FB88314F24CAADD80A5B266C33AD446CA61
                                                                                                                              Function 04ED9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3b362c7c9ddf333d23e3149847d3479882583ebeee40b627240e73d036f12d0a
                                                                                                                              • Instruction ID: 273c270f7ad0f2d631fcd9aeb466c06325632d031dd24caf98d7e139355dab7b
                                                                                                                              • Opcode Fuzzy Hash: 3b362c7c9ddf333d23e3149847d3479882583ebeee40b627240e73d036f12d0a
                                                                                                                              • Instruction Fuzzy Hash: E1216BB4A017448EDB60DF6AC48838AFBF2EB88314F28C42DD84D9B256D6746482CB61
                                                                                                                              Function 04ED7830 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9af799c2062072a68e1936f2eed1ae29672a42a0ffe939bece3761e0c3990f69
                                                                                                                              • Instruction ID: 065e66b3346fbf33a775f86854cb09f9a9fa3b64f80e32aecc88b84722e82044
                                                                                                                              • Opcode Fuzzy Hash: 9af799c2062072a68e1936f2eed1ae29672a42a0ffe939bece3761e0c3990f69
                                                                                                                              • Instruction Fuzzy Hash: 9B1170353002149FDB08DF69E884E6A7BEAFFC97217144569E509DB395DF32EC068BA0
                                                                                                                              Function 04ED7664 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 35221c01c27b71be81a1dd4d90eebfd98a463049fe62b2ce669bfa798b033954
                                                                                                                              • Instruction ID: c04fabc93475b1688e46d77d1284275d50736f967f607f286dd1d2333b38ea04
                                                                                                                              • Opcode Fuzzy Hash: 35221c01c27b71be81a1dd4d90eebfd98a463049fe62b2ce669bfa798b033954
                                                                                                                              • Instruction Fuzzy Hash: 641119397001198FCF04DFA8E940A9D77F6FBC8625B1540A9E509EB364DB35EC068BA0
                                                                                                                              Function 04ED2C5C Relevance: .1, Instructions: 60COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fbfebf2cce25c956585098a76b64da78352685816bd52d6cac072e3a6c4b7b3f
                                                                                                                              • Instruction ID: 77f816cad0fb5476ec3657e78948530edf7666b37ee295aea3eba72543d83818
                                                                                                                              • Opcode Fuzzy Hash: fbfebf2cce25c956585098a76b64da78352685816bd52d6cac072e3a6c4b7b3f
                                                                                                                              • Instruction Fuzzy Hash: 1A118EB490D2909FCB03DF6CC8A05E9BFB1EF46314B1580D7C1909B1B2C626AC56CBA5
                                                                                                                              Function 0358F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction ID: 04cb756e64e8de98e31f93768ae22f7dd59459371fda6c1f1d6615b56fefb481
                                                                                                                              • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                              • Instruction Fuzzy Hash: AA21CD76504240DFDF06DF50E9C4B16BF72FB88314F28C5AAD9094A266C33AD46ACBA1
                                                                                                                              Function 04EDDF18 Relevance: .1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6dc1926a1571e0a3c5597ca89cd198e88d7f65723fc9be0a877724da7e4e8c2b
                                                                                                                              • Instruction ID: 60cb772b6a61b59e854b5d6896a637e8379b31ccdd18183a34d23a34b140a9fe
                                                                                                                              • Opcode Fuzzy Hash: 6dc1926a1571e0a3c5597ca89cd198e88d7f65723fc9be0a877724da7e4e8c2b
                                                                                                                              • Instruction Fuzzy Hash: B7118F35705240CFC7169F78E848A99BBF2FB89318F1544AEE459CB352C672AC06CB10
                                                                                                                              Function 0358F027 Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction ID: e345c0bee06df128c11811b8f251a2af5baae14afd3d7b228feb18e5ea5541dd
                                                                                                                              • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                              • Instruction Fuzzy Hash: 6E11DD79504280DFCB11DF14E5C4B15FFA1FB88328F28C6AAD84A4B666C33AD44ACB61
                                                                                                                              Function 04EDBCE0 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c291b5dfc35b2cfd01ce2c052e659267a754879e032e4b51d735c1055cd7a98
                                                                                                                              • Instruction ID: 7e1993d59617af03a994461ced04bbd1f4ba4be7e091e4a1365d165914189983
                                                                                                                              • Opcode Fuzzy Hash: 3c291b5dfc35b2cfd01ce2c052e659267a754879e032e4b51d735c1055cd7a98
                                                                                                                              • Instruction Fuzzy Hash: 2D0122312083849FC715DB39C594A5A7FF0EF45210F1948EEE0CACB6A2DA61F846C701
                                                                                                                              Function 04EDDE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dd47a7ae538c25baa5fed57b098bc5ac8462f31efff429a8fac5752f182e7fd6
                                                                                                                              • Instruction ID: c2aec7353c26ee3116543a4efbeda59c8bcd15811f40fe9406570fe76905d094
                                                                                                                              • Opcode Fuzzy Hash: dd47a7ae538c25baa5fed57b098bc5ac8462f31efff429a8fac5752f182e7fd6
                                                                                                                              • Instruction Fuzzy Hash: AC018435704215DFCB119FB4E8485AEBBF5FB88215F10406DE51ED3341D7315911CB50
                                                                                                                              Function 04EDBF10 Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ee5c1bc85ff95dba1123db6381b16618b10715d7eb7b48fad644040f14f5b746
                                                                                                                              • Instruction ID: 607b47ccc319d67ad47a21bb9f3c4123c5ff96a66da7b90ec1907878094c2946
                                                                                                                              • Opcode Fuzzy Hash: ee5c1bc85ff95dba1123db6381b16618b10715d7eb7b48fad644040f14f5b746
                                                                                                                              • Instruction Fuzzy Hash: 05F0A47130A3A05FD7018A7A9C5496B7FF9EF86620B1544ABF884CB2A2CAB5CD04C760
                                                                                                                              Function 0358D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 41c51ea5c3b93b9b4614ee625a8932509e0470d7e6f38bce462366e5441eb84f
                                                                                                                              • Instruction ID: efdc4edf09d8193f82516cf697fcce406a8d36ad23bee3169a22852d731e5199
                                                                                                                              • Opcode Fuzzy Hash: 41c51ea5c3b93b9b4614ee625a8932509e0470d7e6f38bce462366e5441eb84f
                                                                                                                              • Instruction Fuzzy Hash: E101F731008304EAE710EB26ED84767FFE8FF41364F1CC469EC085A296D6799841C6B1
                                                                                                                              Function 0358D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 14530c2ee64ebff36ce168e7dcb100d882cd8eadb4ed6a49d004b5ab016ec1ea
                                                                                                                              • Instruction ID: 0297201c8ffbba07aac12f4effd2c777de4bc6bfc4107f6710fc1346120d5993
                                                                                                                              • Opcode Fuzzy Hash: 14530c2ee64ebff36ce168e7dcb100d882cd8eadb4ed6a49d004b5ab016ec1ea
                                                                                                                              • Instruction Fuzzy Hash: F2012D7200E3C09ED7128B259C94B62BFF4EF53224F1D84CBD8889F1A3D2699849C772
                                                                                                                              Function 0358D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 258e3419d5808094c14156e6215552b634f935336aa887f3d3b81d57e001a40a
                                                                                                                              • Instruction ID: 571f249c79f6c785298614848b3c0cb338b116f2f72e9fba94f59b887b56c145
                                                                                                                              • Opcode Fuzzy Hash: 258e3419d5808094c14156e6215552b634f935336aa887f3d3b81d57e001a40a
                                                                                                                              • Instruction Fuzzy Hash: 5BF03776200600AFD320DF0AD985C22FBF9EBD4630319C49AE84A9B612C671EC42CAA0
                                                                                                                              Function 04ED90D8 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ce9dd6d6cdab1a8019b696e439a0c8589a7bfacb9cbdb62d759151412a031711
                                                                                                                              • Instruction ID: e90de6ec1831389d76de34f22af879c375e65cf73ef5676f4cbf410795a008af
                                                                                                                              • Opcode Fuzzy Hash: ce9dd6d6cdab1a8019b696e439a0c8589a7bfacb9cbdb62d759151412a031711
                                                                                                                              • Instruction Fuzzy Hash: 3AF0FC797042514FE355BB34D0583AB7BB2EFC1319F1080AFC41A5B296CD395846C7A1
                                                                                                                              Function 04ED794C Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e54ec12076676adee9a6b3f8f7f57bceb61baf03268f1a3b1447bd2c3c421c95
                                                                                                                              • Instruction ID: 4562c6ad6430582ea8d5f0f23d58b32d6d0bde6d0d0152af13f01eab44b350d8
                                                                                                                              • Opcode Fuzzy Hash: e54ec12076676adee9a6b3f8f7f57bceb61baf03268f1a3b1447bd2c3c421c95
                                                                                                                              • Instruction Fuzzy Hash: 18F0E2357002109FC710AB69E884EAFBBE9EBC8261B000A2CE04ED7310CB74AC468760
                                                                                                                              Function 04EDDE38 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 571fae5606b4bd73ea2a1de75cd9377c5dc1c0cbec4167c7ee36e12625345bb9
                                                                                                                              • Instruction ID: 3b99939d91a988f30b0152b865412775de39c293964471b6d7b9c01f14ac6d13
                                                                                                                              • Opcode Fuzzy Hash: 571fae5606b4bd73ea2a1de75cd9377c5dc1c0cbec4167c7ee36e12625345bb9
                                                                                                                              • Instruction Fuzzy Hash: F7F05E347051408FC7119B2DD894CB6BBF69FCA31931A109EE4C5DB732CAA1DC02CB50
                                                                                                                              Function 0358D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1874016201.000000000358D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0358D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_358d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 02caec9c41c84551dcbe68c66a9c474a8eda333fc5ac2abbce2b7dcaed1fa81d
                                                                                                                              • Instruction ID: bd035e8139e9ab251fea9d86a1fe2c2e27d770cff1d3d8e01ea362cad9b52181
                                                                                                                              • Opcode Fuzzy Hash: 02caec9c41c84551dcbe68c66a9c474a8eda333fc5ac2abbce2b7dcaed1fa81d
                                                                                                                              • Instruction Fuzzy Hash: CAF0F976100640AFD765DF06CD85D23BBF9FB85620B198499A84A9B362C671FC42CFA0
                                                                                                                              Function 04ED7950 Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d3a174d13b192a826fc0ee1f51b1f2482e235c5adb842ebad7019e5c3678bc7f
                                                                                                                              • Instruction ID: 56ccdf48c20d57a98200fe9176104a64ea0e6cd0f6d02bb856cd968a0c558b6b
                                                                                                                              • Opcode Fuzzy Hash: d3a174d13b192a826fc0ee1f51b1f2482e235c5adb842ebad7019e5c3678bc7f
                                                                                                                              • Instruction Fuzzy Hash: 15F0A036700714DFD714AB6AE844E6FB7E9EBC8665B000A2DE10ED7350DF30AC4687A0
                                                                                                                              Function 04ED767F Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 04c54cc23c9b5fb447dad9da342c0280ce58befa30b243c796ea4ba159079421
                                                                                                                              • Instruction ID: c5c19cd1f128de870727d4fd74cde78639a99a1a39564a7508332b534bbcbfe4
                                                                                                                              • Opcode Fuzzy Hash: 04c54cc23c9b5fb447dad9da342c0280ce58befa30b243c796ea4ba159079421
                                                                                                                              • Instruction Fuzzy Hash: 02F0A0393105158FCB00EBACAC40A997BF2FBC9A55B154569E409DB324EF35DC034B90
                                                                                                                              Function 04ED90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 61d07407da6f0b4d445bf988aef852cefa4131ba3bd71d9017804a776a1ac000
                                                                                                                              • Instruction ID: 4c358fc7d23d9f1ac8f9df47529bd62fda50d0b76b33a6d716d13865aecbcd10
                                                                                                                              • Opcode Fuzzy Hash: 61d07407da6f0b4d445bf988aef852cefa4131ba3bd71d9017804a776a1ac000
                                                                                                                              • Instruction Fuzzy Hash: 63F020396042159BE304BB78D0583AB77E6EFC0728F10813AC90B5B395DE3E6802CBE1
                                                                                                                              Function 04ED9158 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9c3ed9a997b63c13c56edd2a6903ea5b0ffce6c1f2cbfbf2f2f405b176a92ed8
                                                                                                                              • Instruction ID: 080745559aa47746ac7a362c365ee92198b4b22284b6a1dba50dac9b70b44ed6
                                                                                                                              • Opcode Fuzzy Hash: 9c3ed9a997b63c13c56edd2a6903ea5b0ffce6c1f2cbfbf2f2f405b176a92ed8
                                                                                                                              • Instruction Fuzzy Hash: A6F0BE7460A3418FD761DF78D4AC39A7FA1EB46214F0008AEE48ECB292CB396882C751
                                                                                                                              Function 04EDDC88 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 89aa1f7321f33bc65040460eb12dadac395ec42b19d1b181f84d90403214147f
                                                                                                                              • Instruction ID: bcaa2d7cf9a6cb0bb723952e408a9a95ca46b86e2b04670e27855921d44d1b69
                                                                                                                              • Opcode Fuzzy Hash: 89aa1f7321f33bc65040460eb12dadac395ec42b19d1b181f84d90403214147f
                                                                                                                              • Instruction Fuzzy Hash: D3F0E53564AB806FC303D32DA810C9F7FA69FC213071504DEE059CB262CEA5D80B87E2
                                                                                                                              Function 04EDDE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4edb04cb7289bc8591f9fff9981a46a011229077927dd066e7edcfa85b11444d
                                                                                                                              • Instruction ID: a0fc1ebc8fee6d11d72341ef74fea38ad115a6fdba58c7e13b6609d1aa40b842
                                                                                                                              • Opcode Fuzzy Hash: 4edb04cb7289bc8591f9fff9981a46a011229077927dd066e7edcfa85b11444d
                                                                                                                              • Instruction Fuzzy Hash: 01E0ED357401118F87109B1DD458C66B7FAEFCE76571610A9E545CB335DA71EC01CB90
                                                                                                                              Function 04ED9542 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 341caf1aa9a2dbe468a924ceaca76ec5d44b74127b495c2ffc7235d2292cdb1b
                                                                                                                              • Instruction ID: a08a99ecb314cc96da389cfa851d889c1435986d41f451691b261a52c6e64597
                                                                                                                              • Opcode Fuzzy Hash: 341caf1aa9a2dbe468a924ceaca76ec5d44b74127b495c2ffc7235d2292cdb1b
                                                                                                                              • Instruction Fuzzy Hash: F7E0DF2170B3D10B8712B6B828109BA6FD94FC6068B0A01FEC886DB253DC849C07C3F2
                                                                                                                              Function 04EDDCD9 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 31abf33f31d93159f8032af9344f37f5b1884f27596ad5ec4cc30553545d616b
                                                                                                                              • Instruction ID: 7646600214e4df5b3152aad7310ee39246d311bcd8c1ddf498b05885a9e906bd
                                                                                                                              • Opcode Fuzzy Hash: 31abf33f31d93159f8032af9344f37f5b1884f27596ad5ec4cc30553545d616b
                                                                                                                              • Instruction Fuzzy Hash: 2FE02B31B0004057CB09C66CD8508F9FF76DFC9210F04847EEC07A7240CA729417D6E1
                                                                                                                              Function 04ED896A Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4863c05be8335633eaee17a9949809f4b2b98f35b435cb591a4d6c47c0fee039
                                                                                                                              • Instruction ID: c85afae6dbbaef0df5df460b486d90445113f8b2fbd698a2f2b95e19b90afda0
                                                                                                                              • Opcode Fuzzy Hash: 4863c05be8335633eaee17a9949809f4b2b98f35b435cb591a4d6c47c0fee039
                                                                                                                              • Instruction Fuzzy Hash: 59F0EC3530D3918FCB067774941C1AD3FB2DBC1618F05006FD54ACB243CE7548058395
                                                                                                                              Function 04ED9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 90a547dd7768e8a2148343b7abf50369ea0d08be048d384d786bcfb6d758feca
                                                                                                                              • Instruction ID: 9b5aed4beca71613c3de04798c83078799dbd0d6eb12b2d2439eb49bcbb92f85
                                                                                                                              • Opcode Fuzzy Hash: 90a547dd7768e8a2148343b7abf50369ea0d08be048d384d786bcfb6d758feca
                                                                                                                              • Instruction Fuzzy Hash: 88F06D74A043048BD360EFB8D89C39ABBE5FB45314F00442DD14ED7341DB39A8818B90
                                                                                                                              Function 04EDAF88 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e8e7bc3d521e7705a6468d01c6732c0b75b08e1fc3c9ebf0bda122e3852739f1
                                                                                                                              • Instruction ID: 80ee386b74ace68b5c8d9da9e2caf98fffb805a7c5eee7e927e3c584b6e559cf
                                                                                                                              • Opcode Fuzzy Hash: e8e7bc3d521e7705a6468d01c6732c0b75b08e1fc3c9ebf0bda122e3852739f1
                                                                                                                              • Instruction Fuzzy Hash: D5E0CD2674D3D11B5B1B913D64204AA5FB38BD711431E84FEE484CF242CC528D0783A1
                                                                                                                              Function 04ED8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 763d1cc9b28c68087ff0970a406787f5a97475448cab2fa44ffa89e7c09e7e01
                                                                                                                              • Instruction ID: c0ad260cca535006cee2b9e08698dee0fb633a474656f8483200739945cf598c
                                                                                                                              • Opcode Fuzzy Hash: 763d1cc9b28c68087ff0970a406787f5a97475448cab2fa44ffa89e7c09e7e01
                                                                                                                              • Instruction Fuzzy Hash: E7E08639708716D7DB0977B5A41C2AE7AA6EBC4B29F04002FD60E87342DF79690283D9
                                                                                                                              Function 04ED9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 620e38686fde35e9a2b1e5b4f71b0851506cf2c696ddb7ddc0b12eaf9fcfac95
                                                                                                                              • Instruction ID: b63170198149998444401a79ae8dfb3732e2af8e97657f58efdba4db582f5fd0
                                                                                                                              • Opcode Fuzzy Hash: 620e38686fde35e9a2b1e5b4f71b0851506cf2c696ddb7ddc0b12eaf9fcfac95
                                                                                                                              • Instruction Fuzzy Hash: 95D0A712B0122117165476FE2C00ABBA5CE9FC44ADF051136DA0AD7342EC44FC0383F1
                                                                                                                              Function 04EDDCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction ID: 3b8b5dbf258fe0357ca78df5e226e19d3c3fffa891e8bcf8e9a0b7b3357691a4
                                                                                                                              • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                              • Instruction Fuzzy Hash: 7AE08631B1005497CB0899A9D8108EDF7AADBCC221F04807AD90AA7340DA32691686E1
                                                                                                                              Function 04EDDC98 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a2e5fc7d28ccc260f4c9ee6fbe7f89c757053a573f0292f2507deb7d84dd8c17
                                                                                                                              • Instruction ID: 8b751038be581e27dd4265add456c7bb1da3a3221600d590f283d5de9b1c4bc3
                                                                                                                              • Opcode Fuzzy Hash: a2e5fc7d28ccc260f4c9ee6fbe7f89c757053a573f0292f2507deb7d84dd8c17
                                                                                                                              • Instruction Fuzzy Hash: D2E0C2357806155B8315B76EA81085FB7EAEFC4671311406EE129CB350DEA4EC0647D5
                                                                                                                              Function 04ED8800 Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e8cd1b7c3642831073763734e4323e335a58393ce65556a97fd908bbf045bafc
                                                                                                                              • Instruction ID: d8d1f00b43e37e96bdf46496e183ae5c6166fd119c0cf00eb7c61b2625a4c239
                                                                                                                              • Opcode Fuzzy Hash: e8cd1b7c3642831073763734e4323e335a58393ce65556a97fd908bbf045bafc
                                                                                                                              • Instruction Fuzzy Hash: 06E0DF70A09286DBCB08EBB8D0064ADBFB2EB06214F0041ADED8997242D632181ACF81
                                                                                                                              Function 04ED8739 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b403ca1ec9b98538be6611cb5930a560877518a9123560a8693691e996468ed
                                                                                                                              • Instruction ID: afa244eec571b893abb2b25cd9d8d07f6978726846bb81d15c7412eb4737ff83
                                                                                                                              • Opcode Fuzzy Hash: 2b403ca1ec9b98538be6611cb5930a560877518a9123560a8693691e996468ed
                                                                                                                              • Instruction Fuzzy Hash: 32E04F71A0A046CFCB0DFBA4D8594FD7F30EB05311F40449DE96752092DE711546CB80
                                                                                                                              Function 04EDF3C0 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3b52f19848269a785efb123407680952f33770a216371c531ead92bb8ee291ef
                                                                                                                              • Instruction ID: feaf2f0baad4b60e11463459cde2f117e57a20d2af09aa47f9b8e3054ef01e63
                                                                                                                              • Opcode Fuzzy Hash: 3b52f19848269a785efb123407680952f33770a216371c531ead92bb8ee291ef
                                                                                                                              • Instruction Fuzzy Hash: 55E01A74E4124A9E8B80DFB8C841559FBF0EF09210B1089AAD809E7211E63156118B81
                                                                                                                              Function 04EDF3D0 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction ID: 1aa685369b8ae276d4a316ca7e74677655f3fef6daec7f89415a3cfade73ba5c
                                                                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                              • Instruction Fuzzy Hash: 1AD06270D042099F8B80DFADC94156DFBF4EB48200F5085AA8919E7301F77156128BD1
                                                                                                                              Function 04ED8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 21236a75e8d654f31a5fa8ef666d0db2297449df5069a2ec1dc32968684eafd0
                                                                                                                              • Instruction ID: 61d6ff9599c2bb4327b8c4a5c1ee860a4359c3345a18dea306346aa9615135ed
                                                                                                                              • Opcode Fuzzy Hash: 21236a75e8d654f31a5fa8ef666d0db2297449df5069a2ec1dc32968684eafd0
                                                                                                                              • Instruction Fuzzy Hash: 16D0673190810ACBCB0CBBA5E85A4FDBB74FB14312F40416DD92B92191EA312A5ACAC5
                                                                                                                              Function 04ED8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8fee571761562fbdeb29ea836b7aa6f4e4f114bc387e89bdcfb28a6bc2c081de
                                                                                                                              • Instruction ID: 98f4a60c453194711dacdc6f1aa1c72d1f2754a000eabfeb8998fa8fd87cf29b
                                                                                                                              • Opcode Fuzzy Hash: 8fee571761562fbdeb29ea836b7aa6f4e4f114bc387e89bdcfb28a6bc2c081de
                                                                                                                              • Instruction Fuzzy Hash: BFD01730A0820ADBCB08EFA4E44686EBBB5EB44200F008169EE5993384EA306901CBC1
                                                                                                                              Function 04ED7925 Relevance: .0, Instructions: 9COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 056b16fe88c7041defcb050ae441803fcb641ee382dc904f2318bcaf678b5dc1
                                                                                                                              • Instruction ID: 17acd7df30ecda24255d82b5cbed4275df1ed99e4af0958ef9a7bd98b1d152d4
                                                                                                                              • Opcode Fuzzy Hash: 056b16fe88c7041defcb050ae441803fcb641ee382dc904f2318bcaf678b5dc1
                                                                                                                              • Instruction Fuzzy Hash: CCC04C350853459FC7169B75D0948587B65AE4111531006ACD85F5A666CA72844ECE05
                                                                                                                              Function 04ED7928 Relevance: .0, Instructions: 8COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 57223fccc55d416605827b42e4b1ce80c6d47c6502d6e6d45df5d49b271c2086
                                                                                                                              • Instruction ID: 00ad96f9176e54b8f70e0526613039423017273c156f197d794a46a8352ddcbc
                                                                                                                              • Opcode Fuzzy Hash: 57223fccc55d416605827b42e4b1ce80c6d47c6502d6e6d45df5d49b271c2086
                                                                                                                              • Instruction Fuzzy Hash: 84B09231044709CFC2496F75E4088187329BF4021938009A8E91E1A3928E36E889CA45
                                                                                                                              Function 04ED7E9C Relevance: .0, Instructions: 5COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 659544b46c4186294c933aa8413486352598643c91946b974848515b6f84438b
                                                                                                                              • Instruction ID: bd70f598ee521ca9d7292a72d5aecd2bda69a87510e5f33226b88e91b70c2f71
                                                                                                                              • Opcode Fuzzy Hash: 659544b46c4186294c933aa8413486352598643c91946b974848515b6f84438b
                                                                                                                              • Instruction Fuzzy Hash: 38A00226D20750ABBE45D736459A51536F2B7D3319B0489D1AE52E40349D39CC52D641

                                                                                                                              Non-executed Functions

                                                                                                                              Function 07BC3928 Relevance: 12.8, Strings: 10, Instructions: 317COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-2446002323
                                                                                                                              • Opcode ID: 7aa4bb28556651828d131ebb75a9477bbefae5e07080562b426e060dc7d7c1fe
                                                                                                                              • Instruction ID: 6c81e638bb1bec0f49dd270aad033f8c4d4a6b1b8960f012c513b0e27e19e110
                                                                                                                              • Opcode Fuzzy Hash: 7aa4bb28556651828d131ebb75a9477bbefae5e07080562b426e060dc7d7c1fe
                                                                                                                              • Instruction Fuzzy Hash: 02A168F17043099FE724DA69880476ABBE5EFC5610F58C4EEE44ACB391CE36C845C7A2
                                                                                                                              Function 07BC0488 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: fcq$4'^q$4'^q$4'^q$4'^q$r2l$r2l
                                                                                                                              • API String ID: 0-146661999
                                                                                                                              • Opcode ID: aeaa01c063c9637fa0f53767eaee053ea677f5c7cd959e145e72728297da7737
                                                                                                                              • Instruction ID: d1f9cc909102ed04e88e4500bf3dc9985244a0d40bd2a922fd3658a1d3ead424
                                                                                                                              • Opcode Fuzzy Hash: aeaa01c063c9637fa0f53767eaee053ea677f5c7cd959e145e72728297da7737
                                                                                                                              • Instruction Fuzzy Hash: E1F155B1704355CFDB15EB689811B6ABBA2EFC2210F14C4BED549CF251DA36C886CBA1
                                                                                                                              Function 07BC3678 Relevance: 8.9, Strings: 7, Instructions: 183COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q$$^q$(l$(l
                                                                                                                              • API String ID: 0-1209065596
                                                                                                                              • Opcode ID: 706da79572cb0c012f84c678234a6a21b270cf9f3ac3e3e620e6cfeecdaaaab6
                                                                                                                              • Instruction ID: 1cd40aef89eafc33340ad3cd677b33cdf59fb08efe0da932d95dff7621144515
                                                                                                                              • Opcode Fuzzy Hash: 706da79572cb0c012f84c678234a6a21b270cf9f3ac3e3e620e6cfeecdaaaab6
                                                                                                                              • Instruction Fuzzy Hash: EA5165F570430A8FEB24DA698905A66BBE6EFC2610F64C4BFD405CB351DA36C885C793
                                                                                                                              Function 04EDEB20 Relevance: 8.9, Strings: 7, Instructions: 180COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-13851718
                                                                                                                              • Opcode ID: 386edf11aa17225cee2d2e7f98c6f00710867bc97b73aa57fca9d2b2376407eb
                                                                                                                              • Instruction ID: 18a12a4a91109a782b912751f3a839da0e974a84576005926efbb50e3f847458
                                                                                                                              • Opcode Fuzzy Hash: 386edf11aa17225cee2d2e7f98c6f00710867bc97b73aa57fca9d2b2376407eb
                                                                                                                              • Instruction Fuzzy Hash: 6E513D303848548FCB29AF7D959896D3AD6BF88A1531428EAE407CF3B5EE15EC438752
                                                                                                                              Function 04ED7A0F Relevance: 6.5, Strings: 5, Instructions: 237COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: 01e5d50de05771b61f2bf41b8d1bb50134ad7b9f780e0392fdc1cb55db2874db
                                                                                                                              • Instruction ID: 9b493c4631ed6da052044f7a11a6b7d9fee9f32f084cd747a80c5e03a66afc14
                                                                                                                              • Opcode Fuzzy Hash: 01e5d50de05771b61f2bf41b8d1bb50134ad7b9f780e0392fdc1cb55db2874db
                                                                                                                              • Instruction Fuzzy Hash: 76B1A474E0120A9FDB54DFA9D990A9DFBF2FF88304F108629D819AB314DB34A945CF90
                                                                                                                              Function 04ED7A18 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: tM2l$`_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-701642498
                                                                                                                              • Opcode ID: dfc8d4634280f3cb693bbae0561a6b896892312ef84da95d9e37cce948aadfa4
                                                                                                                              • Instruction ID: ec83e39f9d2ff4a8dbf13a4a0083cfa23da944b8e822f73d542e4bb5c95860c0
                                                                                                                              • Opcode Fuzzy Hash: dfc8d4634280f3cb693bbae0561a6b896892312ef84da95d9e37cce948aadfa4
                                                                                                                              • Instruction Fuzzy Hash: FDB19374E0120A9FDB54DFA9D980A9DFBF2FF88304F108629D819AB314DB74A945CF90
                                                                                                                              Function 04EDED50 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `Q^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2499013975
                                                                                                                              • Opcode ID: 862a755fc92cba0019b71217b772aa48db7a4821c86f3d6198b64ded98e0cc3b
                                                                                                                              • Instruction ID: c511402de6fa5d1213ba235eb12f2afa49333240b805c10f39669f434c32451c
                                                                                                                              • Opcode Fuzzy Hash: 862a755fc92cba0019b71217b772aa48db7a4821c86f3d6198b64ded98e0cc3b
                                                                                                                              • Instruction Fuzzy Hash: 11E1D2347405208FDB18AF7C881862E76D7AFC9B14B2454AAD907DF3B9EE25EC438791
                                                                                                                              Function 04ED71F8 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1875053138.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_4ed0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `_q$`_q$`_q$`_q
                                                                                                                              • API String ID: 0-3297199963
                                                                                                                              • Opcode ID: 5b510a99ba3e3295425659dd728f4ff4738637a6827a49422873cf8b115227f1
                                                                                                                              • Instruction ID: f282cb988cd11f84f773c2cd36a3bb3b96ba125905450e1903418ea097b6ff3e
                                                                                                                              • Opcode Fuzzy Hash: 5b510a99ba3e3295425659dd728f4ff4738637a6827a49422873cf8b115227f1
                                                                                                                              • Instruction Fuzzy Hash: 2F815274E012199FDB54DFA9D990A9DFBF2FF48304F20822AD819AB315E730A945CF90
                                                                                                                              Function 07BC5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                                              • API String ID: 0-2125118731
                                                                                                                              • Opcode ID: 10e5eb2c623c5c5835fa6cf56f0a61f86cd64f756e3f20fd135ea79aef32b9f9
                                                                                                                              • Instruction ID: af4bacfee6a0f9d9bce9e00e6f8d1fc518aeeff6f3373e002e9659a13a4b4374
                                                                                                                              • Opcode Fuzzy Hash: 10e5eb2c623c5c5835fa6cf56f0a61f86cd64f756e3f20fd135ea79aef32b9f9
                                                                                                                              • Instruction Fuzzy Hash: 2C2135F171020A9BEB34992A8D09B27A7DAEFC1711F34C47EA905CB385DD79E8918361
                                                                                                                              Function 07BC0309 Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000B.00000002.1907505286.0000000007BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BC0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_11_2_7bc0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                              • API String ID: 0-2049395529
                                                                                                                              • Opcode ID: 6be919d51c35824f6f104320a1aa90f06eed81cf370838e404f5e6a11c8adae1
                                                                                                                              • Instruction ID: 8676df84389fdce80305912fd7652ebde5cce7eb76b69da1d0da6ab0a8742b24
                                                                                                                              • Opcode Fuzzy Hash: 6be919d51c35824f6f104320a1aa90f06eed81cf370838e404f5e6a11c8adae1
                                                                                                                              • Instruction Fuzzy Hash: D70149B0704246CFC72A67281C207A5ABF2AFC2A14F1984EFC0418F366CE184C46C7A7